LetsEncrypt Support in DirectAdmin Control Panel

Posted at March 30, 2017 at 10:42 pm by Jithin

LetsEncrypt is a certificate authority that provides free SSL/TLS certificates for a web server. It provides a free TLS encryption using an automated process. Usually enabling SSL is a complex process which requires manual creation, validation, signing, installation, and renewal of certificates in order to attain a secure private connected website. The automated process eliminates the need for the aforementioned steps. Also, LetsEncrypt is supported by all major web browsers. This tutorial describes LetsEncrypt support on a DirectAdmin web server. LetsEncrypt support is a built-in feature or is available natively since DirectAdmin version 1.50. Support can either be easily integrated or can be enabled by manually logging in to the server via SSH for older versions.

 

Enabling as a built-in feature

1) First, update DirectAdmin control panel and the server for the latest versions.

2) Execute a specific command for changing the DirectAdmin configuration file to enable LetsEncrypt. This can also be manually done by editing the configuration file /usr/local/directadmin/conf/directadmin.conf. By changing the value 0 to 1 it enables LetsEncrypt software.

The command for doing this is as below.

$ grep -q ‘letsencrypt=1’ /usr/local/directadmin/conf/directadmin.conf || echo ‘letsencrypt=1’ >> /usr/local/directadmin/conf/directadmin.conf

For allowing multiple SSL enabled sites on single IP address SNI support of TLS protocol must be enabled in the server. The command below is used to enable SNI

$ grep -q ‘enable_ssl_sni=1’ /usr/local/directadmin/conf/directadmin.conf ||echo ‘enable_ssl_sni=1’ >>/usr/local/directadmin/conf/directadmin.conf

 

3) After changing the configuration file, we have to restart DirectAdmin.

4) Support is enabled and the next step is to provision the certificate. Login with the user for whom we need to request the certificate for and navigate to Advanced Features >> SSL certificates.

5) Choose the third option, “Free & automatic certificate” from Let’s Encrypt and fill in the fields. It will enable the SSL certificate and will receive the quote “Certificate and Key Saved” with certificate details.

 

Enabling manually

You have to SSH to the server and install the Git Clone LetsEncrypt code to the server. This can be done by using the commands below.

$ git clone https://github.com/letsencrypt/letsencrypt

$ cd letsencrypt

You need to provide your Webroot path. The client places the authentication challenge files there to do the actual certificate domain ownership validation. You can find that in your webserver configuration. For DirectAdmin it’s like this: /home/USERNAME/domains/DOMAIN.EXT/public_html.

Now execute the LetsEncrypt command to get the certificate.

$ ./letsencrypt-auto –server https://acme-01.api.letsencrypt.org/directory certonly –agree-tos –email ‘user@domain.tld’ –webroot –webroot-path ‘/home/USERNAME/domains/DOMAIN.COM/public_html/’ -d domain.com -d www.domain.com

If you need a certificate with multiple subdomains or with www.domain.tld and domain.tld, specify the -d domain option multiple times. Make sure the Webroot is the same. If you only need one domain, change the example and remove the last -d option. The client will then do a bit of work with the LetsEncrypt service to validate domain ownership. If all goes well it will print out the below message:

Version: 1.1-20080819

Version: 1.1-20080819

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/DOMAIN.COM/fullchain.pem. Your cert

will expire on 2017-03-31. To obtain a new version of the

certificate in the future, simply run Let’s Encrypt again.

– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

 

Now LetsEncrypt certificate is added and you can proceed withthe installation. The certificates are placed on your system and you can check them with the following command:

$ ls -la /etc/letsencrypt/live/DOMAIN.COM/

 

Get the contents of the certificate, private key and chain with the following commands. Remember to replace certificatemonitor.org with your domain:

$ cat /etc/letsencrypt/live/certificatemonitor.org/cert.pem

$ cat /etc/letsencrypt/live/certificatemonitor.org/privkey.pem

$ cat /etc/letsencrypt/live/certificatemonitor.org/chain.pem

 

After you’ve installed the certificates in the control panel (DirectAdmin), we need to symlink those files to the LetsEncrypt files so that auto renewal will work. We do need to first install them via the control panel so that the configuration gets updated in the correct manner. Most control panels overwrite manual changes. Login to your DirectAdmin control panel and navigate to your website. Under “Advanced Features” click “SSL Certificates”. Select the radio button for the Paste a pre-generated certificate and key option. In the text field below, first paste the contents of the cert.pem file. Below that, paste the contents of the privkey.pem file.

LetsEncrypt

 

 

Click the Save button. Now go back to the main domain screen, and navigate to “Advanced Features” –> “SSL Certificates” again. Scroll down and open the link Click Here to paste a CA Root Certificate. Mark the checkbox Use a CA Cert. Paste the contents of the chain.pem file there. Click the Save button. If you haven’t already enabled SSL for your domain, do that now. Navigate to the main domain screen. Click “Domain Setup”. Open your domain. Mark the Secure SSL checkbox and click the save button. Now, under private_html setup for DOMAIN.COM – (SSL must be enabled above) mark the radio button. Use a symbolic link from private_html to public_html – allows for same data in http and https and click the save button again. Now navigate to https://yourdomain and verify the certificate.

 

If you need any further help please contact our support department.

 

 

0.00 avg. rating (0% score) - 0 votes

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply