The Admin SSL section in Admin Level allows for overview and management of all user/domain certificates, as well as hostname certificates.
CMD_ADMIN_SSL Evolution skin:
In addition it allows back-end automatic ssl certificate generation based on poll frequency (to allow for domain to eventually resolve).
- Domain will only be given an auto cert if it's set to use the "Shared Server Cert", in which case a per-VH will be created for each host (sorted out at
httpd.confwrite time based on snidomains)
Fix old/existing/expired/invalid certificates.
If set to 1, any fully expired/invalid LetsEncrypt certificates will automatically be brought back to life, following the polling schedule.
If set to 2, any fully expired/invalid certificates will automatically be brought back to life, following the polling schedule. This includes non-LetsEncrypt (Eg: EV) certificates, so be careful if you use this option. It does not poll for empty certs.
Install certs to hosts which do not have any.
and DirectAdmin will check using the polling schedule to add or retry adding them. This setting is useful for newly added domains to automatically be given a certificate.
You'd usually just keep this set to 1. Setting it to 0 will disable DA's check for the
.ssl.next_retry file, which is what the GUI would create during its requests.
Basically it is the main on/off switch, BUT the other missing/invalid/expired checks are not dependent on it.
If they fail, then they'd create the
.ssl.next_retry file, then you'd need this on. This also need to be enabled for retries on other polling, like expired/invalid or missing.
admin_ssl_check_retries=1 does not require the Pro-Pack, as the User Level Automatic SSL currently uses it.
In more detail this option specifies that retry attempts should be run in these intervals:
<30minutes: every 5 minutes
30m-1h: every 15 minutes
1h-4hrs: every 30 minutes
2nd,3rd days: every 12 hours
4th day onward: once per day
Stop trying after 1 week (7th entry)
time units will all be case specific s,m,h,d,w,M,y
m is minute, M is Month.
No units will be treated as seconds, since that's how they're intended to end up anyway.
No spaces after the numbers before the units. (1 d will end up being one second).
When a trigger is done, it must save that NEXT window to the next_trigger file. The first_trigger must still remain so we know which window to check.
If this feature is not behaving nicely, to quickly disable it:
./directadmin set admin_ssl_replace_all_expired_invalid 0
./directadmin set admin_ssl_install_to_missing 0
./directadmin set admin_ssl_check_retries 0
service directadmin restart
View all certificates:
REQUEST new certificates for selected domains
Where you can select 1 or more domains with select0 and up.
wildcard=yes can be passed to request a
Save the request to the
data/users/USER/domains/DOMAIN.COM.ssl file, which will store the related request info and retry schedule.
Completion of a valid request (after however many retries it succeeds), if that requested host has a valid
domain.com.conf file (it's a full domain), then that domain will be switched over to use
cert=server mode (Best Match mode), which means it's now in full auto ssl.
Save settings to directadmin.conf
Admin accounts will be be able to call:
followed by any one of, or multiple of, the following settings:
As the number of domain certificates on the box can be slow if we try to read all of them, a new cache file will be found here:
it will be rebuild every night after the tally is done (and after the LE retries are done)
Any "save" to a certificate by a User (or restore, etc) will trigger a rewrite of all domain/pointer certs for that User in that file. Deleting a domain does not clear entries from the cache, but the nightly rewrite will handle it. When being displayed, entries are retrieved based on the domainowners, so it will be fine as long as that's updated as it currently does.
you can force a retry with the task.queue using:
echo "action=ssl&value=admin_ssl&domain=domain.com" >> data/task.queue; ./dataskq d1245
even if this domain's cert does not qualify for a request/renewal, the above will try anyway.
You can force a full rebuild of the cache vwith:
echo "action=cache&value=certificates" >> data/task.queue; ./dataskq d1245
or only for one User with:
echo "action=cache&value=certificates&user=fred" >> data/task.queue; ./dataskq d1245
where the user method will first read the cache, and overwrite/add entries from fred to the cache file. The non-user mode will be a 100% rebuild without a read first.
The ssl_save_pre.sh and
ssl_save_post.sh should now accept:
domain can be any of:
- a full User domain.com
- a sub-domain "sub.domain.com" below a domain.
- a pointer "pointer.com" below a domain.
- a pointer sub.pointer.com below a domain.
domain value is only relevant to the host being requested, and to the value set in