Hi,

I've tried using the plugin but when creating a Let's encrypt certificate with it, SSL setting in the domain config file isn't changed. Therefore, SSL was not activated in the end.

/usr/local/directadmin/data/users/admin/domains/somedomain.ext.conf
ssl=OFF

I'm using custombuild with nginx_apache combination.

Add functionality to enable or disable this plugin per user level.

For example: the admin does not want his users to request SSL certificates because of his sale model. He want's to disable the user level access.

This changes user=yes to user=no in plugin.conf

It's show error message when submit form

Error while completing domain challenges

Details
Could not obtain directory.

OS : CentOS 6 (x64)
DirectAdmin with Custombuild
Nginx Web Server
PHP-FPM : 7.0.1

When the plugin is uninstalled the cronjob should be removed too.

In the file /scripts/cron.php on line 104 the cron will restart httpd gracefully. I am not sure but doesn't the rewrite on line 103 restarts httpd already?

is is possible to create a cert that include all domains ? (Multi-Domain (SAN) Certificates)
a cert that include not only the main domain but also other domain all in one user's account?
Of course the domain pointer is also included.

I have a server that have 5 ips,i assign 4 ips to 4 different users,each of them have multiple domains,but only one didicated ip,and SNI is not very friendly at the moments.So SAN/UCC cert is needed.

Get the following error code when SSL=1: Using CACERT certificate.

Warning: stream_socket_client(): SSL: Connection reset by peer in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/HTTPSocket.php on line 198 Warning: stream_socket_client(): Failed to enable crypto in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/HTTPSocket.php on line 198 Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:2222 (Unknown error) in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/HTTPSocket.php on line 198

Openssl s_client works and gives correct certificate.

Need to disable SSL to make plugin work. At the moment, see also previous issue about requesting ssl cert for portal.

At the moment it is not possible to let Let's Encrypt install in a specified folder via CLI. Issue is open at Let's Encrypt. Once available change install.sh and other paths.

Just got this PHP Fatal Error on my server.

I guess this is because I am running PHP 7.0...

(I was requesting a Certificate at that time)

Delete options for domain and account. When account delete button has been pressed, we will wipe everything and the domain will not be monitored anymore. When domain delete button has been pressed, we will only wipe the domain.

Shall we also disable the SSL and CA certificates in DirectAdmin?

You should be able to select which hostnames are to be included in the certificate.

For example:
I have a domain example.com which has subdomains subdomain1 and subdomain2. I have another domain example.net which is a pointer (alias) for example.com

In this case, the following hostnames can/should be included in the certificate example.com:

• example.com
• www.example.com
• subdomain1.example.com
• www.subdomain1.example.com
• subdomain2.example.com
• www.subdomain2.example.com
• example.net
• www.example.net
• subdomain1.example.net
• www.subdomain1.example.net
• subdomain2.example.net
• www.subdomain2.example.net

if uncheck Subdomains option will show this error message.

 Fatal error: Wrong parameters for Exception([string $exception [, long $code [, Exception $previous = NULL]]]) in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/Domain.php on line 109 

but if checked subdomains option it work 👍

OS : CentOS 6 (x64)
DirectAdmin with Custombuild
Apache 2.2 Web Server
PHP : 5.5.30

In the admin (and maybe reseller?) level we need to create a option/value to define the used server. Defaults to live (api-01), but we should be able to overwrite this.

Sometimes I get an error when requesting the certificates:

Invalid response code: 400 {"type":"urn:acme:error:badNonce","detail":"Unable to read/verify body :: JWS has invalid anti-replay nonce","status":400}

Not sure how this happens. Sometimes it does, sometimes it doesn't. It worked fine yesterday on live server, today got this error a few times on staging.

Is user used in plugin.conf ? Seems that this was added because of enabling the plugin per user level but this is obsolete since issue #3

I've tried your plugin on 2 DirectAdmin servers, however the main domain is secured but the www subdomain isn't.

SNI must be enabled for this plugin to properly with, because DirectAdmin will prevent API calls from being made when SNI isn't enabled (or the user must have an own IP).

[11-Dec-2015 12:28:15 Europe/Amsterdam] PHP Notice: Undefined variable: domain in /usr/local/directadmin/plugins/da-letsencrypt/user/index.html on line 10
[11-Dec-2015 12:28:15 Europe/Amsterdam] PHP Notice: Undefined variable: domain in /usr/local/directadmin/plugins/da-letsencrypt/user/index.html on line 14

    <input type="hidden" name="domain" value="<?= $domain; ?>"/>

Also I'm not sure, but is the domain going through these kind of checks?

• valid domain, no weird characters
• do you own the domain, not some other user

Would be nice if it is possible to request a certificate for the web portal in the admin panel.

I use the domain certificates for users also for dovecot, I used wildcard domains for that. So I would like to add the following subdomains to the certificate.

imap.domain.com
pop3.domain.com
pop.domain.com
smtp.domain.com
mail.domain.com

Is it possible to add these to the ssl request form as an default option you can select?

Dovecot SSL Config:
http://help.directadmin.com/item.php?id=388

For Exim SNI should work haven't tested this yet. There are forum posts.
Exim SSL Config:
http://help.directadmin.com/item.php?id=389
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
http://forum.directadmin.com/showthread.php?t=50059&page=7&p=263954#post263954

I created an simple script to configure this, maybe you can add something similar to this plugin to add these configurations to Dovecot.

It's show error message :

Error while completing domain challenges

Details
Could not obtain directory.

OS : CentOS 6 (x64)
DirectAdmin with Custombuild
Nginx Web Server

There is a rate limit for the public beta launch.
*Rate limit on registrations per IP is currently 10 per 3 hours
*Rate limit on certificates per Domain is currently 5 per 7 days

The plugins must track this to ensure a good functioning plugin. We have to track the requests per hour and limit the request. Maybe a queue will be handy to have in this situation.

Thanks to zEitEr from DirectAdmin forums for reporting this issue: http://forum.directadmin.com/showthread.php?t=51588&p=269400#post269400

Subdomains are not logged in /scripts/cron.php. See line 95.

We'll need to run a cronjob for reissuing a SSL certificate.

I've recently found out that SAN certificates are not properly handled at Let's Encrypt (as it seems like). I'm unsure why, the CSR seems to be correct and holds all necessary information.

See this CSR at this or this site. This CSR is created using our plugin.

After sending this CSR to Let's Encrypt and after receiving the cert, it doesn't seems to contain the SAN domains. Only the domain provided in the CN field (which wasn't there in the example CSR, I was testing around).

I'm not sure if this is the right location to post it tho, because it has something to do with the library I think. But I hope one of you guys know what's going wrong.

Currently, you're only able to request a SSL certificate through this page. Here we should add the another page for when the SSL certificate is active, with more details like expiry date and a reissue button. At the moment, the user doesn't have a clue when it expires or if it's even installed.

I tried to issue a certificate for some domains and I get this error:
Error while completing domain challenges

Details

Exception while solving challenge for www.*****.**********.eu: selfVerify failed, please check http://www.*****.*********.eu/.well-known/acme-challenge/ijbY43KzCxAy9dlMDyt3I7SLk6-ysrLUX4kzEzxjq8g.

And others are working

(I am sorry for my bad English)

/user/actions/request.html on line 68 shows that if an RSA private key exists, it will be re-used. I believe it is better to generate new keys to prevent abuse from possible stolen keys upon a hack. This way the private key changes every 90 days which improves security.

Correct me if im wrong, please.

A few notes about the cron:

• When the plugin is installed but not active, does the cron still run? Should a check in the beginning of cron.php check whether the plugin is active, and otherwise directly quit?
• When no certificates are renewed, should a message still be sent? Or perhaps with a different header? Or add the number of renewals in the subject header?
• 2 messages in my case 2 tickets were merged together; see image:

Hi,

I am getting the following error when running /scripts/install.sh on CentOS 6:

[root@server3 da-letsencrypt]# sh ./scripts/install.sh
./scripts/install.sh: regel 12: /tmp/composer.phar: Toegang geweigerd
Successfully installed Let's Encrypt plugin to DirectAdmin.

"Toegang geweigerd" means "No permission"

As discussed in #23

public function getCertificateExpirationTime() {
        $certInfo = openssl_x509_parse($this->getCertificate());
        return $certInfo['validTo_time_t'];
    }

After accepting the terms for LE, request.html only shows a empty white page in DirectAdmin layout.

The LE account looks succesfull created since I can view the keys for a account.

The SSL cert itself is not created.

Unfortanatly no errors in the php error log.

System: Centos 5, up to date directadmin.

[root@server da-letsencrypt]# composer install
-bash: composer: command not found

and when i install with directadmin plugin manager i get this error when it is activated.

Warning: require_once(/usr/local/directadmin/plugins/da-letsencrypt/vendor/autoload.php): failed to open stream: No such file or directory in /usr/local/directadmin/plugins/da-letsencrypt/includes/bootstrap.php on line 7 Fatal error: require_once(): Failed opening required '/usr/local/directadmin/plugins/da-letsencrypt/vendor/autoload.php' (include_path='.:/usr/local/lib/php') in /usr/local/directadmin/plugins/da-letsencrypt/includes/bootstrap.php on line 7

Hello,

When I want to enable SSL certificatre for a customer i faced with this error in Direct Admin.

Error while completing domain challenges

Details

Invalid response: No registration exists matching provided key. Request URI: https://acme-v01.api.letsencrypt.org/acme/new-authz.

so what is the problem and how can i solve it? Thanks.

Install goes fine as long as .phar is added to suhosin whitelist and proc_open proc_close and something else (cant recall) is not in php.ini disabled_functions.
Okay for a few days constant logging of error in: /var/log/directadmin/error.log

Unable to get any data from petertjuh360.github.io:23.xxx.50.xxx : Cannot find the end of the headers<br>

I have installed da-letsencrypt, with php = 5.5.x and have sni enabled.

In DA, when I go to the user level, select the domain / subdomain and tried to request a SSL certificate, click on the TOS checkbox and submit, I got:

Fatal error: Class 'Crypt_RSA' not found in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/Account.php on line 94

Create a page to view the log.

Currently the detecting and updating of the plugin through the automated way in Directadmin isn't working. We need to create a small script which provides the last version (just in txt) through HTTP. This URL has to be set in the version_url option in plugin.conf. Detection could be done using https://github.com/Petertjuh360/da-letsencrypt/releases/latest URL of Github, which returns a header Location with the latest version in it.

On the other side we need to create a script which downloads the last release from Github, packs it so Directadmin understands it (.tar.gz), and sends it to the browser. This URL has to be set to the update_url in the plugin.conf.

Greetings again :)

First of all my apologies for my bad English.

On topic:
When i'm trying to install Let's Encrypt based certificates on for example a HTML site. It does work without .htaccess redirects to https, but if they exist, the challenge cannot be completed.

I'm not sure if thats normal or not. I'm wondering how auto renewal will behave with this seems to be issue.

I've found a work around for the .htaccess, where te REMOTE_ADDR is the main IP of your server:

Force SSL

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule ^.$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} !^www.
RewriteCond %{REMOTE_ADDR} !^123.123.123.123$
RewriteRule . https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I think 2048bit is enough..2048-bit should be ok until about 2030

I have plenty of users that use domain pointers. But they are not in the certificate request.

Can you add a status and/or roadmap and a simple 'get started' section?

Can I just clone this folder, run composer install, zip the folder and install via DirectAdmin plugin manager?

Status, what is working, what isn't?

• Creating certificate request
• Accept and automate http challenge in public_html folder
• Install certificate for user?
• Issue cron
• Configuration (API server)

And it's still pointing to staging, right?

When you switch between servers (staging/live for example) the account keys are saved locally, so reused. But they aren't know at the server, so the server response with an error that the key isn't registered yet.

When try to generate a new SSL it gives the following error below:
Fatal error: Wrong parameters for Exception([string $exception [, long $code [, Exception $previous = NULL]]]) in /usr/local/directadmin/plugins/da-letsencrypt/includes/lib/Domain.php on line 109

Line 109: throw new \Exception("Error requesting certificate: ". $e->getMessage(), $e->getCode(), $e);

Some users may not use the default port 2222 for DirectAdmin. We've to detect this and use the detected port for API calls.

After a HTTP-01 challenge the .well-known-dir in the public_html domain files isn't removed yet.

Just to keep track of the issue, as discussed in #22, https://github.com/kelunik/acme is now PHP5.5+ so the fork is no longer needed.

This plugin is fully writen in PHP, as I see. Isn't it better to use a PHP library, like this one? On this way you should be able to better implement it in the plugin.

I'd love to help, so I'll contribute some code in the next few days when I have time. Maybe, If you guys agree, with this PHP library (or any other).

Wouldn't it be better to always use the API?

Not sure if it's possible, but right now there 2 ways to get all subdomains, two ways to add certificates etc. It would probably be more 'reliable' when it's just the API.

Problems:

• Currently API is using the user session, no password/keys
• Cron doesn't have user session/context

Possible solutions:

• Use admin login key (restrict usage to local IP and SSL+actual commands), use that to login as client (admin|user), but not sure if that's possible with login keys.
• Create and store login keys per user, use that to login as the actual user.
• (Could be created via the API, without user interaction)

Downsides of login keys

• More work maintaining/syncing them? But already is a config system for certs/keys etc.
• Security? Should be okay becase you can restrict per IP and commands, right?

I have php 5.5.31 and have composer installed. When I run:

php composer.phar install

I got the warning saying:

Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. Run update to update them.

I have tried
php composer.phar update
or
php composer.phar update --lock

and run the composer install again, and can't get rid of the warning.

should I keep proceeding the command: chown diradmin:diradmin -hR ../da-letsencrypt/ Change active=no and installed=no to active=yes and installed=yes in plugin.conf?

please advise