BETA Functionality for the new Free Certificate Authority: https://letsencrypt.org/ directadmin.conf option: letsencrypt=0 where 0 is the internal default. To enable this feature, use: letsencrypt=1 followed by the "ACTION REQUIRED" below to add the .well-known Alias to the httpd-alias.conf file. Users can then access it from: User Level -> SSL Certificates where a 3rd certification creation radio box will be created: "Free & automatic certificate from Let's Encrypt" in addition to the other 2 'self-signed' and 'create request' options. There is an internal variable, set by default to: letsencrypt_renewal_days=85 you shouldn't need to adjust this. The certificates are only valid for 90 days, so DA starts trying to renew 85 days in. It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough. You can alternatively use: letsencrypt=2 to use: /home/user/domains/domain.com/public_html/.well-known but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1 :) while: letsencrypt=1 will use: to use /var/www/html/.well-known ====================== ACTION REQUIRED You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs: cd /usr/local/directadmin/custombuild ./build update ./build rewrite_confs ====================== RATE LIMIT LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time. https://community.letsencrypt.org/t/quick-start-guide/1631 As of Jan 31st, 2016 the rates are: Rate limit on registrations per IP is now 10 per 3 hours Rate limit on certificates per Domain is now 5 per 7 days but once the project becomes "stable", they'll likely increase the allowed rates. ====================== TASK.QUEUE as mentioned above, the full tally does handle the automated renewals, if they're about to expire. If you want to run a renewal check manually, you can use: echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue which will call the same function as the full tally calls. Only domains who's certificates are about to expire will be updated. ====================== SCRIPTS: /usr/local/directadmin/scripts/letsencrypt.sh usage: ./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root) but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA. Note, when you run it through DA, the domain.com.san_config will have more details, than if you run it from ssh (.san_config will be created, but with less info) ====================== CONFIG FILES /usr/local/directadmin/data/users/username/letsencrypt.key - L.E. account ID for this User. Only created once. /usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time - contains time L.E. cert was created (to be automatically renewed every 90 days) /usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config - csr -config request info, used for creation and renewal. /var/www/html/.well-known/acme-challenge - directory created by DA for the random challenge key file: letsencrypt=1 /home/user/domains/domain.com/public_html/.well-known/acme-challenge - challenge key file if letsencrypt=2 .htaccess - added to either document root to disable mod_rewrite, in case it's enable higher up. ====================== SKINS user/ssl.html added a 3rd radiobox: |*if LETSENCRYPT="1"| <br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td> |*endif| ------ Show if LE is in use: |*if LETSENCRYPT_RENEWAL_DAYS!=""| <div style='padding: 20px; font-weight: bold;'>|LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL| |LETSENCRYPT_RENEWAL_DAYS| |LANG_LETSENCRYPT_DAYS|.</div> |*endif| ====================== LANG lang/en/user/ssl.html LANG_FREE_LETS_ENCRYPT=Free & automatic certificate from LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL=Let's Encrypt in use. Auto-renewal in LANG_LETSENCRYPT_DAYS=Days lang/en/internal/ssl.txt 28=Let's Encrypt is not enabled. You cannot use this option. 29=Invalid keysize. Valid values: %s 30=Unable to create %s: %s ====================== API CMD_API_SSL method: POST domain=domain.com action=save type=create request=letsencrypt name=www.domain.com firstname.lastname@example.org keysize=4096 encryption=sha256 le_select0=domain.com le_select1=mail.domain.com le_select2=www.domain.com ...etc.. ===================== TROUBLESHOOTING Reported issue with curl's ca-certificates where this command was required: update-ca-certificates if you see something like this in the output: Getting challenge for domain.com from acme-server... /usr/local/directadmin/scripts/letsencrypt.sh: 279: [: Illegal number: /usr/local/directadmin/scripts/letsencrypt.sh: 295: [: Illegal number: caused by an empty HTTD_STATUS variable, because of the broken ca-certificates for curl. Reported issue of DNSSEC possibly causing this error: "Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for server.domain.com. Exiting...'. " but only after confirming that the A record for server.domain.com works correctly.