newAbility to have backup tar exit code 1 throw error
Previous, DA was changed to allow exit code 1:
without throwing an error.
By default, this will remain true.
But if you wish for DA to throw a backup error if exit status 1 is returned, you can add this to your directadmin.conf:
where the internal default is 1, which means 1 (and 256) is accepted an will not throw an error.
If you change it to 0, then then the exit code 1 (and 256) are no longer ok, and DA will throw an error.
newBrute Force Monitor: Skip User distributed attack User count
DirectAdmin's BFM can scan how many times a specific IP attacks the server, but also how many times a specific User is attacked from any IP.
Sometimes the Admin might not want to bother with the number of attacks on a specific User, so you can set the option:
set to 0, which will disable DA's count on specific Users.
By default, the user_brutecount option is set to the number of failed attempts for a specific User before a notice is sent.
Disabling the user_brutecount (setting it to 0) will likely improve the loading time of the Brute Force Monitor page.
newletsencrypt_pre.sh and letsencrypt_post.sh
Custom scripts for before and after calls to letsencrypt.sh.
acme-challenge-dir=/var/www/html/.well-known/acme-challenge OR /home/fred/domains/domain.com/public_html/.well-known/acme-challenge
keysize=2048|4096 (Note: LE only supports 2048 bit at this time, so regardless of what's passed, you'll get a 2048 bit cert)
the letsencrypt_post.sh has all of the above, with the addition of:
where 0 means everything worked during the letsencrypt.sh call.
The letsencrypt_pre.sh must exit with a zero status, or the process will abort.
The exit status of letsencrypt_post.sh will not affect any aborts since everything is already done.
newLetsencrypt autorenew from 85 to 60 days
As recommended by the LE devs, we've lowered the autorenew time from 85 days down to 60 days.
This should give people more time to resolve issues, should anything go wrong.
Â "The Technical Advisory Board, chose a 90-day certificate lifetime to start with, with an expectation that people will want to auto-renew at the 60-day mark. â€œ.
Also, the rate limit has been changed from 5 to 20 top-level domain requests per week.
There is nothing to change in DA, but lets you make more requests, if needed.
newLet's Encrypt: Ability to select which DNS records to include in the certificate (SKINS)(LANG)
Changes to the SSL page.
When the Let's Encrypt feature is enabled and set to 1 (not 2), a User can select this option when creating a certificate request (CSR)
When selected, a scrollable table will show with a list of items that can be selected via checkbox.
The items will include the domain name, all subdomains, and a preset list of options, eg:
as well as all of the above for all domain pointers under the domain.
The User can select which ones they want, keeping in mind that there is a weekly request limit of 20 (at the time of this writing),
so a single submission can never hold more than 20 items..
Keep in mind, if you select 20, then you make a mistake, you cannot try again until one full week later.
in the directadmin.conf, internal defaults:
where currently, the max_requests_per_week is only displayed, and not counted or enforced.
The request itself will simply throw an error if they've exceeded the limit.
This allows the LE site to increase their limit without needing to worry about DA having a lower limit.
The letscrypt_list is a colon separated list of additional records to include in the list.
TheÂ letsencrypt_list_selected value is a similar list, but contains those items that are to be selected by default. Â It can be a subdomain that isn't in the letsencrypt_list, if you want.
The letsencrypt_multidomain_cert value allows for all other domain under this User to show up in the list.
If set to 1, then it only adds the other domains under the User.
If set to 2 (internal default), then it adds the other domains under the User, plus any domain pointers under those domains.
The optionÂ letsencrypt_renewal_success_notice by default is set to 0.
If you set it to 1, then the User will get a message each time a renewal goes through without error.
Renewal errors will always notify the User, regardless of this setting.
user/ssl.html - many changes here:
Â - The 3 main radiobutton options (server, request, paste) are now listtitle, rather than list class.
Â - The 3 request radiobuttons now have: onClick="set_letsencrypt_options();"
Â - Below the Cert Type, a new "tr" with the LETSENCRYPT_OPTIONS token, inserted.
Â - JS function init_letsencrypt_options(); should be called after the table is displayed.
34=Must use letsencrypt=1 for options. Â letsencrypt=%d is currently set.
35=Let's Encrypt Certificate Entries
37=Requested LetsEncrypt value of '%s' is not an allowed value.
38=Must select more than zero LetsEncrypt entries.
39=Must include your domain %s in the LetsEncrypt entries.
LANG_LE_MORE_THAN_ZERO=Must select more than zero entries.
LANG_LE_REQUESTS_PER_WEEK=requets per week.
LANG_LE_MUST_INCLUDE_MAIN_DOMAIN=You must include your main domain:
LANG_LE_MAX=Maximum requests per week
newPer-User user.conf override for max_per_email_send_limit
Relating to the directadmin.conf option:
You can now add a value, eg:
to a given User's user.conf file to allow it to override the directadmin.conf value.
This is useful if you have one User you want to allow to set a high per-Email send limit, but not want to allow all DA Users the ability to set a high per-Email send limit.
You'll need to manually add theÂ max_per_email_send_limit value into the given User's user.conf file for it to take effect.
newDisable overusage notices if account=OFF
When an Admin or Reseller manually suspends an account, this will also set "account=OFF" in the user.conf file.
This change will disable the over-usage warning messages for an account that is currently set to account=OFF.
The sentwarning=yes will not be set in the user.conf, allowing it to be sent a later date, should the account=ON be set later on.
TheÂ overusage_notice_post.sh script will still be called.
newShow Warning if DA has not been restarted since last license update (SKINS)(LANG)
If the timestamp on the license.key file is newer than DirectAdmin's last restart time, a warning will be shown on the Licenses/Updates page, along with a URL to restart DA if needed.
Failure to restart DA after updating a license may result in seeing a confusing "License Expired" message, even though the license itself is updated.. just not loaded in yet.
Â Â Â Â <tr><td class=list align=center colspan=2>*** <b>|LANG_DA_NOT_RESTARTED|</b> ***<br>
Â Â Â Â <a href="CMD_SERVICE?action=restart&service=directadmin">|LANG_RESTART_DA|</a></td></tr>
LANG_DA_NOT_RESTARTED=DirectAdmin has not been restarted since the last license.key update!
newAbility to change ns1/ns2 values without affecting package (LANG)
will now have the ns1/ns2 rows as text inputs, and the right side of ns2 will be a button, "Save Nameservers".
This will be able to alter your ns1/ns2 values without having the User package being set to "custom"
Can be done with API as well:
This will also trigger theÂ user_info_modify_post.sh hook script.
113=ns1 or ns2 are not valid nameservers
114=No changes have been made
573=Error saving Nameservers
574=Nameservers have been changed
fixedLetsEncrypt: Don't require the use of the other CSR fields (SKINS)
The Let's Encrypt certificates don't include other fields like company, names, etc.. they're very basic.
DA currently still requires that you fill out the whole form, so change the DA code and Skins so they don't require the "other" fields since they're not used anyway.
Â Â Â Â document.getElementById('country_visibility').style.display = disp;
Â Â Â Â document.getElementById('province_visibility').style.display = disp;
Â Â Â Â document.getElementById('city_visibility').style.display = disp;
Â Â Â Â document.getElementById('company_visibility').style.display = disp;
Â Â Â Â document.getElementById('division_visibility').style.display = disp;
and made 2 calls to it in the existing set_letsnecrypt_options function:
if (radios\[i\].value == 'letsencrypt')
Â Â Â Â Â vis_element.style.display = '';
Â Â Â Â Â set_letsencrypt_other_options('none');
Â Â Â Â Â vis_element.style.display = 'none';
Â Â Â Â Â set_letsencrypt_other_options('');
<tr> ids to allow hiding/showing, eg:
Â Â Â Â Â <tr id=country_visibility>
Â Â Â Â Â <tr id=province_visibility>
Â Â Â Â Â <tr id=city_visibility>
Â Â Â Â Â <tr id=company_visibility>
Â Â Â Â Â <tr id=division_visibility>
set for it's applicable row.
fixedLetsEncrypt: .well-known directory needs to be 755
Mainly only applies to letsencrypt=2 where Users use redirects or password protection on the top level / path.
DA adds and .htaccess file to the .well-known directory in the event that, for example, Users have password protection on the top level / folder.
This .htaccess disables password protection to LE can access the acme-challenge.
Apache needs to have +r on this folder, so we set it to 755 instead of 711.
Change will take effect on systems that do not yet have the folder.
Existing systems would only need manual intervention if they have 403 errors with it:
eg: manually set .well-known folder to 755.
fixedChanging NS1/NS2 via User Settings causes domain with double dot
When going to:
and changing the ns1/ns2 values, it's possible that DA creates a broken zone.
With the named-checkzone enabled (which it is by default), it will catch the error, but prevents saving the change.
Error would look like this:
Unable to change NameServers: Cannot write zone for domain.com:
Unable to save dns zone: named-checkzone returned:loading "domain.com" from "/var/named/domain.com.db.temp"
class "IN" dns_master_load: /var/named/domain.com.db.temp:20: empty label
zone domain.com/IN: loading from master file /var/named/domain.com.db.temp failed: empty label
zone domain.com/IN: not loaded due to errors.
with the following details from a zone:
domain.com 14400 IN NS ns1.nameserver.net.
domain.com.. 14400 IN NS ns1.nameserver.net.
domain.com. 14400 IN NS ns2.nameserver.net.
domain.com. 14400 IN NS ns2.nameserver.net.
domain.com. 14400 IN NS ns3.nameserver.net.
Here are the steps how to replicate the issue:
- Create an user or use existing account in Directadmin, for example:
nameservers: ns1.nameserver.net and ns2.nameserver.net
- Change Name Servers for a domain of the user at admin or user level through DNS editor.
change: ns1.nameserver.net and ns2.nameserver.net
to: ns1.domain.com and ns2.domain.com
- As admin or reseller change NS1 and NS2 in user's details:
change: ns1.nameserver.net and ns2.nameserver.net
to: ns1.domain.com and ns2.domain.com
Click "Save" and see the error.
Bug was caused by how DA "extended" the domain.com to add the dot inside the container class.
But because there were already multiple values with the same entry, it causes a double dot.
Solution was to create the domain.com. string ahead of time before loading it into the container, and not using the string extend method to add the dot.
fixedDomain name change to call dns_write_post.sh on cluster=0
When a domain name was changed, the dns was rewritten only when cluster=1, so that all remote servers get a push of the new domain name.
As such, dns_write_post.sh was called too.
Request was made to include dns_write_post.sh for cluster=0. Serial number will also be increased as a result.
fixedFreeBSD: Backup --exclude-file in bsdtar
Moved the --exclude-file option to be immediately after the filename.tar.gz, rather than after the -C /home/user.
The change does apply to all OS's.
Note that it's possible there will be 2 --exclude-file options set, one after the other.
The first is for the non_readable_files:
and the second is for the backup_exclude_path feature:
Tested with CentOS and the double calls do match all patterns in both files.
Double calls would only happen if both are enabled, which is common:
fixedusername filtering on CMD_SELECT_USERS
The CMD_SELECT_USERS page was not correctly filtering the select0 type variables.
The issued was reported as an XSS security hole (cross site scripting):
but because of of this feature:
the "cross site" portion of this statement is false, mitigating any sort of security issue.
We do still consider this to be a bug, as basic User input sanitation/filter is always needed,
but no external site or attacks can use this against you, making the security level of this somewhere between low and zero.
For anyone else who finds something similar, be sure to actually test your XSS discovery with an external site/webpage (anything on a different port or hostname), as DA will notice the referer being incorrect (id=1050) and will block the post.
fixeddirect_imap_backup to no backup imap folder if it doesn't exist
With the addition of the direct_imap_backup=1 feature (Disabled by default)
DA can backup the /home/user/imap folder directly into the tar.gz backup file.
The issue is that for Admin or Reseller accounts that might not have a domain, this can cause an error:
Error Compressing the backup file admin.root.admin.tar.gz : /bin/tar: imap: Cannot stat: No such file or directory
/bin/tar: Exiting with failure status due to previous errors
So if the feature is enabled, do a check before including the imap folder.
fixedUsage (Meg) quota limit of 4096 caused decimal points
There was an internal cast of (int) for the email quota limit number, so if you get 4096M, which is 4294967296 in bytes, which is too large for an int, it caused a size check error.
There is a check for:
if (qlimit/(1024*1024) == 0)
which is looking to see if the size in meg is less than 1, and that's when it adds decimal points.
The cast caued this division to be incorrect, showing 4096.000.
fixedglobal custom tokens accessed wrong files
Implementation didn't match the documentation.
Changed the implementation, as the documented method was cleaner.
fixedRestore custom apache config at admin level
Set to restore custom apache config only at Admin Level.
fixedLetsEncrypt: new local challenge pre-test
Changed how we do local challenges before actually submitting the request to LetsEncrypt.
It now uses curl to basically duplicate the same thing they do,
and this allows to us to take the appropriate action to the certificate (removing non-functional items)
before actually sending off the request to LE, which may have failed.
This also has the added benefit of reducing the number of wasted requests to LE.
fixedImap restore not setting mail group on files
Bug in the copyDir function prevented the "mail" group being set when the files were copied.
Refers to the processes active running group, not a chgrp.
The issue wasn't noticed as dovecot and exim can both function happily with mail files set to user:user,
since they read as 'user:mail' so as long as the file has one of the 2, it will still work.
fixeddovecot restart via task.queue not working
As LetsEncrypt needs to restart services, the hostname certificate install needs to restart dovecot.
The action=dovecot&value=restart task.queue method wasn't working.
Fix also applied to php-fpm and pure-ftpd restarts.