BETA This feature is part of the DirectAdmin Pro Pack: https://docs.directadmin.com/getting-started/pro-pack/overview Admin Level functions for overview and management of all User/Domain certificates, as well as hostname certificates. Enhanced Skin: CMD_ADMIN_SSL Evolution skin: /admin/ssl as well as back-end automatic ssl certificate generation based on poll frequency (to allow for domain to eventually resolve). ==================== REQUIREMENTS 1) DirectAdmin Pro Pack 2) mail_sni=1 enabled 3) pointers_own_virtualhost=1 4) admin_ssl_cert_per_vh=1 5) admin_ssl_check_retries=1 6) Domain will only be given an auto cert if it's set to use the "Shared Server Cert", in which case a per-VH will be created for each host (sorted out at httpd.conf write time based on snidomains) ==================== DIRECTADMIN.CONF ------------- REPLACE EXPIRED/INVALID Fix old/existing/expired/invalid certificates. Internal default: admin_ssl_replace_all_expired_invalid=0 If set to 1, any fully expired/invalid LetsEncrypt certificates will automatically be brought back to life, following the polling schedule. If set to 2, any fully expired/invalid certificates will automatically be brought back to life, following the polling schedule. This includes non-LetsEncrypt (Eg: EV) certs, so be careful if you use this option. Does not poll for empty certs. TODO: handle 2 case. ------------- Install certs to hosts which do not have any. Internal default: admin_ssl_install_to_missing=0 Set to: admin_ssl_install_to_missing=1 and DirectAdmin will check using the polling schedule to add or retry the adding of them. This setting is useful for newly added domains to automatically be given a certificate. ------------ Retry enabled admin_ssl_check_retries=1 You'd usually just keep this set to 1. Setting it to 0 will disable DA's check for the .ssl.next_retry file, which is what the the GUI would create during it's requests. Basically the main on/off switch, BUT the other missing/invalid/expired checks are not dependent on it. If they fail, then they'd create the .ssl.next_retry file, then you'd need this on. This also need to be enabled for retries on other polling, like expired/invalid or missing. The admin_ssl_check_retries=1 does not require the Pro-Pack, as the User Level Automatic SSL currently uses it. ------------- Retry/Poll Frequency admin_ssl_poll_frequency=5m:15m:30m:1h:12h:1d:1w <30minutes: every 5 minutes 30m-1h: every 15 minutes 1h-4hrs: every 30 minutes 4h-1day: hourly 2nd,3rd days: every 12 hours 4th day onward: once per day Stop trying after 1 week (7th entry) time units will all be case specific s,m,h,d,w,M,y m is minute, M is Month. No units will be treated as seconds, since that's how they're intended to end up anyway No spaces after the numbers before the units. (1 d will end up being one second) When a trigger is done, it must save that NEXT window to the next_trigger file. The first_trigger must still remain so we know which window to check. ==================== DISABLE ALL If this feature is not behaving nicely, to quickly disable it: cd /usr/local/directadmin ./directadmin set admin_ssl_replace_all_expired_invalid 0 ./directadmin set admin_ssl_install_to_missing 0 ./directadmin set admin_ssl_check_retries 0 service directadmin restart ==================== VIEW all certificates: CMD_ADMIN_SSL?json=yes ==================== REQUEST new certificates for selected domains CMD_ADMIN_SSL method: POST action=multiple request=<anytext> select0=domain1.com (select1=domain2.com) (wildcard=yes) Where you can select 1 or more domains with select0 and up. wildcard=yes can be passed to request a *.domain.com cert. Save the request to the data/users/USER/domains/DOMAIN.COM.ssl file, which will store the related request info and retry schedule. COMPLETION of a valid request (after however many retries it succeeds), if that requested host has a valid domain.com.conf file (it's a full domain), then that domain will be switch over to use cert=server mode (Best Match mode), which means it's now in full auto ssl. ==================== SAVE SETTINGS to directadmin.conf Admin accounts will be be able to call: method: POST action=settings followed by any one of, or multiple of, the following settings: letsencrypt_renewal_notice_to_admins letsencrypt_renewal_error_to_users renew_letsencrypt_on_suspended_domain letsencrypt_renewal_success_notice letsencrypt_disable_renew_after_renew_failure letsencrypt_renewal_failure_notice_after_attempt ==================== CACHING As the number of domain certificates on the box can be slow if we try to read all of them, a new cache file will be found here: data/admin/certificate_cache.json it will be rebuild every night after the tally is done (and after the LE retries are done) Any "save" to a certificate by a User (or restore, etc) will trigger a rewrite of all domain/pointer certs for that User in that file. Deleting a domain does not clear entries from the cache, but the nightly rewrite will handle it. When being displayed, entries are retrieved based on the domainowners, so it will be fine as long as that's updated as it currently does. ==================== TASK QUEUE you can force a retry with the task.queue using: cd /usr/local/directadmin echo "action=ssl&value=admin_ssl&domain=domain.com" >> data/task.queue; ./dataskq d1245 even if this domain's cert does not qualify for a request/renewal, the above will try anyway. -- You can force a full rebuild of the cache vwith: echo "action=cache&value=certificates" >> data/task.queue; ./dataskq d1245 or only for one User with: echo "action=cache&value=certificates&user=fred" >> data/task.queue; ./dataskq d1245 where the user method will first read the cache, and overwrite/add entries from fred to the cache file. The non-user mode will be a 100% rebuild without a read first. ==================== SCRIPTS The ssl_save_pre.sh and ssl_save_post.sh should now accept: action=single_cert username=fred domain=domain.com where $domain can be any of: - a full User domain.com - a sub-domain "sub.domain.com" below a domain. - a pointer "pointer.com" below a domain. - a pointer sub.pointer.com below a domain. For action=single_cert, the "domain" value is only relevant to the host being requested, and to the value set in the /etc/virtual/snidomains ==== EVO2081