Admin SSL
The Admin SSL section in Admin Level allows for overview and management of all user/domain certificates, as well as hostname certificates.
Enhanced Skin: CMD_ADMIN_SSL Evolution skin: /admin/ssl
In addition it allows back-end automatic ssl certificate generation based on poll frequency (to allow for domain to eventually resolve).
Requirements
mail_sni=1enabledadmin_ssl_cert_per_vh=1admin_ssl_check_retries=1- Domain will only be given an auto cert if it's set to use the "Shared Server Cert", in which case a per-VH will be created for each host (sorted out at
httpd.confwrite time based on snidomains)
Fix old/existing/expired/invalid certificates.
Internal default: admin_ssl_replace_all_expired_invalid=0
If set to 1, any fully expired/invalid LetsEncrypt certificates will automatically be brought back to life, following the polling schedule.
If set to 2, any fully expired/invalid certificates will automatically be brought back to life, following the polling schedule. This includes non-LetsEncrypt (Eg: EV) certificates, so be careful if you use this option. It does not poll for empty certs.
Install certs to hosts which do not have any.
Internal default: admin_ssl_install_to_missing=0
Set to: admin_ssl_install_to_missing=1
and DirectAdmin will check using the polling schedule to add or retry adding them. This setting is useful for newly added domains to automatically be given a certificate.
Retry enabled
admin_ssl_check_retries=1
You'd usually just keep this set to 1. Setting it to 0 will disable DA's check for the .ssl.next_retry file, which is what the GUI would create during its requests.
Basically it is the main on/off switch, BUT the other missing/invalid/expired checks are not dependent on it.
If they fail, then they'd create the .ssl.next_retry file, then you'd need this on. This also need to be enabled for retries on other polling, like expired/invalid or missing.
The admin_ssl_check_retries=1 does not require the Pro-Pack, as the User Level Automatic SSL currently uses it.
Retry/Poll Frequency
Default value: admin_ssl_poll_frequency=5m:15m:30m:1h:12h:1d:1w
In more detail this option specifies that retry attempts should be run in these intervals:
<30minutes: every 5 minutes
30m-1h: every 15 minutes
1h-4hrs: every 30 minutes
4h-1day: hourly
2nd,3rd days: every 12 hours
4th day onward: once per day
Stop trying after 1 week (7th entry)
time units will all be case specific s,m,h,d,w,M,y
m is minute, M is Month.
No units will be treated as seconds, since that's how they're intended to end up anyway.
No spaces after the numbers before the units. (1 d will end up being one second).
When a trigger is done, it must save that NEXT window to the next_trigger file. The first_trigger must still remain so we know which window to check.
Disable all
If this feature is not behaving nicely, to quickly disable it:
cd /usr/local/directadmin
./directadmin set admin_ssl_replace_all_expired_invalid 0
./directadmin set admin_ssl_install_to_missing 0
./directadmin set admin_ssl_check_retries 0
service directadmin restart
View all certificates:
CMD_ADMIN_SSL?json=yes
REQUEST new certificates for selected domains
CMD_ADMIN_SSL
method: POST
action=multiple
request=yourdomain
select0=domain1.com
(select1=domain2.com)
(wildcard=yes)
Where you can select 1 or more domains with select0 and up.
wildcard=yes can be passed to request a *.domain.com cert.
Save the request to the data/users/USER/domains/DOMAIN.COM.ssl file, which will store the related request info and retry schedule.
Completion of a valid request (after however many retries it succeeds), if that requested host has a valid domain.com.conf file (it's a full domain), then that domain will be switched over to use cert=server mode (Best Match mode), which means it's now in full auto ssl.
Save settings to directadmin.conf
Admin accounts will be be able to call:
method: POST
action=settings
followed by any one of, or multiple of, the following settings:
letsencrypt_renewal_notice_to_admins
letsencrypt_renewal_error_to_users
renew_letsencrypt_on_suspended_domain
letsencrypt_renewal_success_notice
letsencrypt_disable_renew_after_renew_failure
letsencrypt_renewal_failure_notice_after_attempt
Caching
As the number of domain certificates on the box can be slow if we try to read all of them, a new cache file will be found here:
data/admin/certificate_cache.json
it will be rebuild every night after the tally is done (and after the LE retries are done)
Any "save" to a certificate by a User (or restore, etc) will trigger a rewrite of all domain/pointer certs for that User in that file. Deleting a domain does not clear entries from the cache, but the nightly rewrite will handle it. When being displayed, entries are retrieved based on the domainowners, so it will be fine as long as that's updated as it currently does.
Task queue
you can force a retry with the task.queue using:
cd /usr/local/directadmin
echo "action=ssl&value=admin_ssl&domain=domain.com" >> data/task.queue; ./dataskq d1245
even if this domain's cert does not qualify for a request/renewal, the above will try anyway.
You can force a full rebuild of the cache vwith:
echo "action=cache&value=certificates" >> data/task.queue; ./dataskq d1245
or only for one User with:
echo "action=cache&value=certificates&user=fred" >> data/task.queue; ./dataskq d1245
where the user method will first read the cache, and overwrite/add entries from fred to the cache file. The non-user mode will be a 100% rebuild without a read first.
Scripts
The ssl_save_pre.sh and ssl_save_post.sh should now accept:
action=single_cert
username=fred
domain=domain.com
where domain can be any of:
- a full User domain.com
- a sub-domain "sub.domain.com" below a domain.
- a pointer "pointer.com" below a domain.
- a pointer sub.pointer.com below a domain.
For action=single_cert, the domain value is only relevant to the host being requested, and to the value set in /etc/virtual/snidomains