Admin SSL

The Admin SSL section in Admin Level allows for overview and management of all user/domain certificates, as well as hostname certificates.

Enhanced Skin: CMD_ADMIN_SSL Evolution skin: /admin/ssl

In addition it allows back-end automatic ssl certificate generation based on poll frequency (to allow for domain to eventually resolve).

Requirements

  1. mail_sni=1 enabled
  2. admin_ssl_cert_per_vh=1
  3. admin_ssl_check_retries=1
  4. Domain will only be given an auto cert if it's set to use the "Shared Server Cert", in which case a per-VH will be created for each host (sorted out at httpd.conf write time based on snidomains)

Fix old/existing/expired/invalid certificates.

Internal default: admin_ssl_replace_all_expired_invalid=0

If set to 1, any fully expired/invalid LetsEncrypt certificates will automatically be brought back to life, following the polling schedule.

If set to 2, any fully expired/invalid certificates will automatically be brought back to life, following the polling schedule. This includes non-LetsEncrypt (Eg: EV) certificates, so be careful if you use this option. It does not poll for empty certs.

Install certs to hosts which do not have any.

Internal default: admin_ssl_install_to_missing=0

Set to: admin_ssl_install_to_missing=1

and DirectAdmin will check using the polling schedule to add or retry adding them. This setting is useful for newly added domains to automatically be given a certificate.

Retry enabled

admin_ssl_check_retries=1

You'd usually just keep this set to 1. Setting it to 0 will disable DA's check for the .ssl.next_retry file, which is what the GUI would create during its requests.

Basically it is the main on/off switch, BUT the other missing/invalid/expired checks are not dependent on it.

If they fail, then they'd create the .ssl.next_retry file, then you'd need this on. This also need to be enabled for retries on other polling, like expired/invalid or missing.

The admin_ssl_check_retries=1 does not require the Pro-Pack, as the User Level Automatic SSL currently uses it.

Retry/Poll Frequency

Default value: admin_ssl_poll_frequency=5m:15m:30m:1h:12h:1d:1w

In more detail this option specifies that retry attempts should be run in these intervals:

<30minutes: every 5 minutes
30m-1h: every 15 minutes
1h-4hrs: every 30 minutes
4h-1day: hourly
2nd,3rd days: every 12 hours
4th day onward: once per day
Stop trying after 1 week (7th entry)

time units will all be case specific s,m,h,d,w,M,y

m is minute, M is Month.

No units will be treated as seconds, since that's how they're intended to end up anyway.

No spaces after the numbers before the units. (1 d will end up being one second).

When a trigger is done, it must save that NEXT window to the next_trigger file. The first_trigger must still remain so we know which window to check.

Disable all

If this feature is not behaving nicely, to quickly disable it:

cd /usr/local/directadmin
./directadmin set admin_ssl_replace_all_expired_invalid 0
./directadmin set admin_ssl_install_to_missing 0
./directadmin set admin_ssl_check_retries 0
service directadmin restart

View all certificates:

CMD_ADMIN_SSL?json=yes

REQUEST new certificates for selected domains

CMD_ADMIN_SSL
method: POST
action=multiple
request=yourdomain
select0=domain1.com
(select1=domain2.com)
(wildcard=yes)

Where you can select 1 or more domains with select0 and up.

wildcard=yes can be passed to request a *.domain.com cert.

Save the request to the data/users/USER/domains/DOMAIN.COM.ssl file, which will store the related request info and retry schedule.

Completion of a valid request (after however many retries it succeeds), if that requested host has a valid domain.com.conf file (it's a full domain), then that domain will be switched over to use cert=server mode (Best Match mode), which means it's now in full auto ssl.

Save settings to directadmin.conf

Admin accounts will be be able to call:

method: POST
action=settings

followed by any one of, or multiple of, the following settings:

letsencrypt_renewal_notice_to_admins
letsencrypt_renewal_error_to_users
renew_letsencrypt_on_suspended_domain
letsencrypt_renewal_success_notice
letsencrypt_disable_renew_after_renew_failure
letsencrypt_renewal_failure_notice_after_attempt

Caching

As the number of domain certificates on the box can be slow if we try to read all of them, a new cache file will be found here:

data/admin/certificate_cache.json

it will be rebuild every night after the tally is done (and after the LE retries are done)

Any "save" to a certificate by a User (or restore, etc) will trigger a rewrite of all domain/pointer certs for that User in that file. Deleting a domain does not clear entries from the cache, but the nightly rewrite will handle it. When being displayed, entries are retrieved based on the domainowners, so it will be fine as long as that's updated as it currently does.

Task queue

you can force a retry with the task.queue using:

cd /usr/local/directadmin
echo "action=ssl&value=admin_ssl&domain=domain.com" >> data/task.queue; ./dataskq d1245

even if this domain's cert does not qualify for a request/renewal, the above will try anyway.

You can force a full rebuild of the cache vwith:

echo "action=cache&value=certificates" >> data/task.queue; ./dataskq d1245

or only for one User with:

echo "action=cache&value=certificates&user=fred" >> data/task.queue; ./dataskq d1245

where the user method will first read the cache, and overwrite/add entries from fred to the cache file. The non-user mode will be a 100% rebuild without a read first.

Scripts

The ssl_save_pre.sh and ssl_save_post.sh should now accept:

action=single_cert
username=fred
domain=domain.com

where domain can be any of:

  • a full User domain.com
  • a sub-domain "sub.domain.com" below a domain.
  • a pointer "pointer.com" below a domain.
  • a pointer sub.pointer.com below a domain.

For action=single_cert, the domain value is only relevant to the host being requested, and to the value set in /etc/virtual/snidomains

Last Updated: