Version 1.50.1

Released: 2016-06-09

Ability to have backup tar exit code 1 throw error new

Previous, DA was changed to allow exit code 1:

Allow tar exit code 1

without throwing an error.

By default, this will remain true.

But if you wish for DA to throw a backup error if exit status 1 is returned, you can add this to your directadmin.conf:

allow_backup_exit_code_one=0

where the internal default is 1, which means 1 (and 256) is accepted an will not throw an error.

If you change it to 0, then then the exit code 1 (and 256) are no longer ok, and DA will throw an error.

Brute Force Monitor: Skip User distributed attack User count new

DirectAdmin's BFM can scan how many times a specific IP attacks the server, but also how many times a specific User is attacked from any IP.

Sometimes the Admin might not want to bother with the number of attacks on a specific User, so you can set the option:

user_brutecount=0

set to 0, which will disable DA's count on specific Users.

By default, the user_brutecount option is set to the number of failed attempts for a specific User before a notice is sent.

Disabling the user_brutecount (setting it to 0) will likely improve the loading time of the Brute Force Monitor page.

letsencrypt_pre.sh and letsencrypt_post.sh new

Custom scripts for before and after calls to letsencrypt.sh.

Environmental variables:

acme-challenge-dir=/var/www/html/.well-known/acme-challenge OR /home/fred/domains/domain.com/public_html/.well-known/acme-challenge
username=fred
domain=domain.com
action=request|renew|revoke
keysize=2048|4096  (Note: LE only supports 2048 bit at this time, so regardless of what's passed, you'll get a 2048 bit cert)

the letsencrypt_post.sh has all of the above, with the addition of:

exit_code=0|#

where 0 means everything worked during the letsencrypt.sh call.

The letsencrypt_pre.sh must exit with a zero status, or the process will abort.

The exit status of letsencrypt_post.sh will not affect any aborts since everything is already done.

Letsencrypt autorenew from 85 to 60 days new

As recommended by the LE devs, we've lowered the autorenew time from 85 days down to 60 days.

This should give people more time to resolve issues, should anything go wrong.

Quote:

  "The Technical Advisory Board, chose a 90-day certificate lifetime to start with, with an expectation that people will want to auto-renew at the 60-day mark. “.

Also, the rate limit has been changed from 5 to 20 top-level domain requests per week.

There is nothing to change in DA, but lets you make more requests, if needed.

Let's Encrypt: Ability to select which DNS records to include in the certificate (SKINS)(LANG) new

Changes to the SSL page.

When the Let's Encrypt feature is enabled and set to 1 (not 2), a User can select this option when creating a certificate request (CSR)

When selected, a scrollable table will show with a list of items that can be selected via checkbox.

The items will include the domain name, all subdomains, and a preset list of options, eg:

domain.com
www.domain.com
mail.domain.com
subdomainname.domain.com

as well as all of the above for all domain pointers under the domain.

The User can select which ones they want, keeping in mind that there is a weekly request limit of 20 (at the time of this writing),

so a single submission can never hold more than 20 items..

Keep in mind, if you select 20, then you make a mistake, you cannot try again until one full week later.

OPTIONS

in the directadmin.conf, internal defaults:

letsencrypt_max_requests_per_week=20
letsencrypt_list=www:mail:ftp:pop:smtp
letsencrypt_list_selected=www
letsencrypt_multidomain_cert=2
letsencrypt_renewal_success_notice=0

where currently, the max_requests_per_week is only displayed, and not counted or enforced.

The request itself will simply throw an error if they've exceeded the limit.

This allows the LE site to increase their limit without needing to worry about DA having a lower limit.

The letscrypt_list is a colon separated list of additional records to include in the list.

The letsencrypt_list_selected value is a similar list, but contains those items that are to be selected by default.  It can be a subdomain that isn't in the letsencrypt_list, if you want.

The letsencrypt_multidomain_cert value allows for all other domain under this User to show up in the list.

If set to 1, then it only adds the other domains under the User.

If set to 2 (internal default), then it adds the other domains under the User, plus any domain pointers under those domains.

The option letsencrypt_renewal_success_notice by default is set to 0.

If you set it to 1, then the User will get a message each time a renewal goes through without error.

Renewal errors will always notify the User, regardless of this setting.

SKINS

user/ssl.html - many changes here:

  - 3 new javascript functions

  - The 3 main radiobutton options (server, request, paste) are now listtitle, rather than list class.

  - The 3 request radiobuttons now have: onClick="set_letsencrypt_options();"

  - Below the Cert Type, a new "tr" with the LETSENCRYPT_OPTIONS token, inserted.

  - JS function init_letsencrypt_options(); should be called after the table is displayed.

LANG

lang/en/internal/ssl.txt

34=Must use letsencrypt=1 for options. Â letsencrypt=%d is currently set.
35=Let's Encrypt Certificate Entries
36=Select
37=Requested LetsEncrypt value of '%s' is not an allowed value.
38=Must select more than zero LetsEncrypt entries.
39=Must include your domain %s in the LetsEncrypt entries.

lang/en/user/ssl.html

LANG_LE_MORE_THAN_ZERO=Must select more than zero entries.
LANG_LE_CANNOT_EXCEED=Cannot exceed
LANG_LE_REQUESTS_PER_WEEK=requets per week.
LANG_LE_MUST_INCLUDE_MAIN_DOMAIN=You must include your main domain:
LANG_LE_SELECTED=Selected Entries
LANG_LE_MAX=Maximum requests per week

Per-User user.conf override for max_per_email_send_limit new

Relating to the directadmin.conf option:

max_per_email_send_limit

You can now add a value, eg:

max_per_email_send_limit=2000

to a given User's user.conf file to allow it to override the directadmin.conf value.

This is useful if you have one User you want to allow to set a high per-Email send limit, but not want to allow all DA Users the ability to set a high per-Email send limit.

You'll need to manually add the max_per_email_send_limit value into the given User's user.conf file for it to take effect.

Disable overusage notices if account=OFF new

When an Admin or Reseller manually suspends an account, this will also set "account=OFF" in the user.conf file.

This change will disable the over-usage warning messages for an account that is currently set to account=OFF.

The sentwarning=yes will not be set in the user.conf, allowing it to be sent a later date, should the account=ON be set later on.

The overusage_notice_post.sh script will still be called.

Show Warning if DA has not been restarted since last license update (SKINS)(LANG) new

If the timestamp on the license.key file is newer than DirectAdmin's last restart time, a warning will be shown on the Licenses/Updates page, along with a URL to restart DA if needed.

Failure to restart DA after updating a license may result in seeing a confusing "License Expired" message, even though the license itself is updated.. just not loaded in yet.

SKINS:


enhanced/admin/license.html

|*if da_needs_restart="yes"|
        <tr><td class=list align=center colspan=2>*** <b>|LANG_DA_NOT_RESTARTED|</b> ***<br>
        <a href="CMD_SERVICE?action=restart&service=directadmin">|LANG_RESTART_DA|</a></td></tr>
|*endif|

LANG:

lang/en/admin/license.html

LANG_RESTART_DA=Restart DirectAdmin

LANG_DA_NOT_RESTARTED=DirectAdmin has not been restarted since the last license.key update!

Ability to change ns1/ns2 values without affecting package (LANG) new

The page:

CMD_SHOW_USER?user=username page

will now have the ns1/ns2 rows as text inputs, and the right side of ns2 will be a button, "Save Nameservers".

This will be able to alter your ns1/ns2 values without having the User package being set to "custom"

Can be done with API as well:

CMD_API_MODIFY_USER
user=username
action=single
ns1=ns1.domain.com
ns2=ns2.domain.com
ns=<any text>

This will also trigger the user_info_modify_post.sh hook script.

LANG

lang/en/internal/user.txt

113=ns1 or ns2 are not valid nameservers
114=No changes have been made

lang/en/internal/command.txt

572=%sSave Nameservers%s
573=Error saving Nameservers
574=Nameservers have been changed

LetsEncrypt: Don't require the use of the other CSR fields (SKINS) fixed

The Let's Encrypt certificates don't include other fields like company, names, etc.. they're very basic.

DA currently still requires that you fill out the whole form, so change the DA code and Skins so they don't require the "other" fields since they're not used anyway.


SKINS:

user/ssl.html

New javascript function:

function set_letsencrypt_other_options(disp)
{
    Â  Â  Â  Â  document.getElementById('country_visibility').style.display = disp;
    Â  Â  Â  Â  document.getElementById('province_visibility').style.display = disp;
    Â  Â  Â  Â  document.getElementById('city_visibility').style.display = disp;
    Â  Â  Â  Â  document.getElementById('company_visibility').style.display = disp;
    Â  Â  Â  Â  document.getElementById('division_visibility').style.display = disp;
}

and made 2 calls to it in the existing set_letsnecrypt_options function:

if (radios\[i\].value == 'letsencrypt')
{
    Â  Â  Â  Â Â vis_element.style.display = '';
    Â  Â  Â  Â Â set_letsencrypt_other_options('none');
}
else
{
    Â  Â  Â  Â Â vis_element.style.display = 'none';
    Â  Â  Â  Â Â set_letsencrypt_other_options('');
}

Added 5 <tr> ids to allow hiding/showing, eg:

    Â  Â  Â  Â Â <tr id=country_visibility>
    Â  Â  Â  Â Â <tr id=province_visibility>
    Â  Â  Â  Â Â <tr id=city_visibility>
    Â  Â  Â  Â Â <tr id=company_visibility>
    Â  Â  Â  Â Â <tr id=division_visibility>

set for it's applicable row.

LetsEncrypt: .well-known directory needs to be 755 fixed

Mainly only applies to letsencrypt=2 where Users use redirects or password protection on the top level / path.

DA adds and .htaccess file to the .well-known directory in the event that, for example, Users have password protection on the top level / folder.

This .htaccess disables password protection to LE can access the acme-challenge.

Apache needs to have +r on this folder, so we set it to 755 instead of 711.

Change will take effect on systems that do not yet have the folder.

Existing systems would only need manual intervention if they have 403 errors with it:

eg: manually set .well-known folder to 755.

Changing NS1/NS2 via User Settings causes domain with double dot fixed

When going to:

CMD_MODIFY_USER?user=bob

and changing the ns1/ns2 values, it's possible that DA creates a broken zone.

With the named-checkzone enabled (which it is by default), it will catch the error, but prevents saving the change.

Error would look like this:


Unable to change NameServers: Cannot write zone for domain.com:

Unable to save dns zone: named-checkzone returned:loading "domain.com" from "/var/named/domain.com.db.temp"

class "IN" dns_master_load: /var/named/domain.com.db.temp:20: empty label

zone domain.com/IN: loading from master file /var/named/domain.com.db.temp failed: empty label

zone domain.com/IN: not loaded due to errors.


with the following details from a zone:

domain.com 14400 IN NS ns1.nameserver.net.

domain.com.. 14400 IN NS ns1.nameserver.net.

domain.com. 14400 IN NS ns2.nameserver.net.

domain.com. 14400 IN NS ns2.nameserver.net.

domain.com. 14400 IN NS ns3.nameserver.net.


Here are the steps how to replicate the issue:

  1. Create an user or use existing account in Directadmin, for example:
user: bob 
domain: domain.com 
nameservers: ns1.nameserver.net and ns2.nameserver.net 
  1. Change Name Servers for a domain of the user at admin or user level through DNS editor.

change: ns1.nameserver.net and ns2.nameserver.net

to: ns1.domain.com and ns2.domain.com

  1. As admin or reseller change NS1 and NS2 in user's details:

change: ns1.nameserver.net and ns2.nameserver.net

to: ns1.domain.com and ns2.domain.com

Click "Save" and see the error.


Bug was caused by how DA "extended" the domain.com to add the dot inside the container class.

But because there were already multiple values with the same entry, it causes a double dot.

Solution was to create the domain.com. string ahead of time before loading it into the container, and not using the string extend method to add the dot.

Domain name change to call dns_write_post.sh on cluster=0 fixed

When a domain name was changed, the dns was rewritten only when cluster=1, so that all remote servers get a push of the new domain name.

As such, dns_write_post.sh was called too.

Request was made to include dns_write_post.sh for cluster=0. Serial number will also be increased as a result.

FreeBSD: Backup --exclude-file in bsdtar fixed

Related thread:

http://forum.directadmin.com/posts/269356

Moved the --exclude-file option to be immediately after the filename.tar.gz, rather than after the -C /home/user.

The change does apply to all OS's.

Note that it's possible there will be 2 --exclude-file options set, one after the other.

The first is for the non_readable_files:

Security: improvements to strict_backup_permissions - MAJOR CHANGES

and the second is for the backup_exclude_path feature:

User ability to skip paths from their tar.gz backup files

Tested with CentOS and the double calls do match all patterns in both files.

Double calls would only happen if both are enabled, which is common:

strict_backup_permissions=1
allow_backup_exclude_path=1

username filtering on CMD_SELECT_USERS fixed

The CMD_SELECT_USERS page was not correctly filtering the select0 type variables.

This allowed the currently logged in account to type in any text, where the next page could potentially have injected code, like javascript.

The issued was reported as an XSS security hole (cross site scripting):

http://www.vulnerability-lab.com/get_content.php?id=1824

but because of of this feature:

Security check on Referer header

the "cross site" portion of this statement is false, mitigating any sort of security issue.

We do still consider this to be a bug, as basic User input sanitation/filter is always needed,

but no external site or attacks can use this against you, making the security level of this somewhere between low and zero.

For anyone else who finds something similar, be sure to actually test your XSS discovery with an external site/webpage (anything on a different port or hostname), as DA will notice the referer being incorrect (id=1050) and will block the post.

http://help.directadmin.com/item.php?id=619

direct_imap_backup to no backup imap folder if it doesn't exist fixed

With the addition of the direct_imap_backup=1 feature (Disabled by default)

Backup: direct_imap_backup for direct inclusion of imap folder into tar.gz

DA can backup the /home/user/imap folder directly into the tar.gz backup file.

The issue is that for Admin or Reseller accounts that might not have a domain, this can cause an error:

Error Compressing the backup file admin.root.admin.tar.gz : /bin/tar: imap: Cannot stat: No such file or directory

/bin/tar: Exiting with failure status due to previous errors

So if the feature is enabled, do a check before including the imap folder.

Usage (Meg) quota limit of 4096 caused decimal points fixed

There was an internal cast of (int) for the email quota limit number, so if you get 4096M, which is 4294967296 in bytes, which is too large for an int, it caused a size check error.

There is a check for:

if (qlimit/(1024*1024) == 0)

which is looking to see if the size in meg is less than 1, and that's when it adds decimal points.

The cast caued this division to be incorrect, showing 4096.000.

global custom tokens accessed wrong files fixed

Relating to:

Global custom include templates for apache/nginx (SKINS)

Implementation didn't match the documentation.

Changed the implementation, as the documented method was cleaner.

Restore custom apache config at admin level fixed

Set to restore custom apache config only at Admin Level.

LetsEncrypt: new local challenge pre-test fixed

Changed how we do local challenges before actually submitting the request to LetsEncrypt.

It now uses curl to basically duplicate the same thing they do,

and this allows to us to take the appropriate action to the certificate (removing non-functional items)

before actually sending off the request to LE, which may have failed.

This also has the added benefit of reducing the number of wasted requests to LE.

Imap restore not setting mail group on files fixed

Bug in the copyDir function prevented the "mail" group being set when the files were copied.

Refers to the processes active running group, not a chgrp.

The issue wasn't noticed as dovecot and exim can both function happily with mail files set to user:user,

since they read as 'user:mail' so as long as the file has one of the 2, it will still work.

dovecot restart via task.queue not working fixed

As LetsEncrypt needs to restart services, the hostname certificate install needs to restart dovecot.

The action=dovecot&value=restart task.queue method wasn't working.

Fix also applied to php-fpm and pure-ftpd restarts.

Last Updated: