Knowledge Base

How Can We Help?

LetsEncrypt Support in DirectAdmin Control Panel

You are here:

LetsEncrypt is a certificates authority that provides complimentary SSL/TLS certificates for an internet server. It offers a free TLS encryption utilizing an automated process. Typically enabling SSL is a complicated process which requires manual creation, validation, signing, installation, and renewal of certificates in order to achieve a secure private connected website. The automated process eliminates the need for the aforementioned steps. Additionally, LetsEncrypt is supported by all major web browsers. This tutorial describes LetsEncrypt support on a DirectAdmin web server. LetsEncrypt support is a built-in feature or is available natively since DirectAdmin version 1.50. Help can either be easily integrated or can be enabled by manually logging in to the server through SSH for older versions.

 

Enabling as a built-in feature

1) First, update DirectAdmin control panel and the server to the latest versions.

2) Execute a specific command for changing the DirectAdmin configuration file to enable LetsEncrypt. This can be manually executed by modifying the configuration file /usr/local/directadmin/conf/directadmin.conf. By changing the value zero to 1 it enables LetsEncrypt software.

The command for doing that is as below.

$ grep -q ‘letsencrypt=1’ /usr/local/directadmin/conf/directadmin.conf || echo ‘letsencrypt=1’ >> /usr/local/directadmin/conf/directadmin.conf

For allowing multiple SSL enabled websites on single IP address SNI support of TLS protocol must be enabled on the server. The command below is used to enable SNI

$ grep -q ‘enable_ssl_sni=1’ /usr/local/directadmin/conf/directadmin.conf ||echo ‘enable_ssl_sni=1’ >>/usr/local/directadmin/conf/directadmin.conf

 

3) After changing the configuration file, we have to restart DirectAdmin.

4) Help is enabled and the next step is to provision the certificates. Login with the user for whom we need to request the certificates for and navigate to Advanced Options >> SSL certificates.

5) Select the third option, “Free & automatic certificates” from Let’s Encrypt and fill in the fields. It will enable the SSL certificates and will display the message “Certificate and Key Saved” with certificates details.

 

Enabling manually

It is necessary to SSH to the server and install the Git Clone LetsEncrypt code to the server. This can be done by using the commands below.

$ git clone https://github.com/letsencrypt/letsencrypt

$ cd letsencrypt

You need to provide your Webroot path. The user places the authentication challenge files there to do the actual certificate domain ownership validation. You can find that in your webserver configuration. For DirectAdmin it’s like this: /home/USERNAME/domains/DOMAIN.EXT/public_html.

Now execute the LetsEncrypt command to obtain the certificates.

$ ./letsencrypt-auto –server https://acme-01.api.letsencrypt.org/directory certonly –agree-tos –email ‘[email protected]’ –webroot –webroot-path ‘/home/USERNAME/domains/DOMAIN.COM/public_html/’ -d domain.com -d www.domain.com

If you need a certificate with multiple subdomains or with www.domain.tld and domain.tld, specify the -d domain option multiple times. Make sure the Webroot is the same. If you only need one domain, change the example and remove the last -d option. The user will then do some work with the LetsEncrypt service to validate domain ownership. If all goes well it will print out the below message:

Version: 1.1-20080819

Version: 1.1-20080819

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/DOMAIN.COM/fullchain.pem. Your cert

will expire on 2017-03-31. To obtain a new version of the

certificate in the future, simply run Let’s Encrypt again.

– If you like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate

Donating to EFF:                    https://eff.org/donate-le

 

Now LetsEncrypt certificates is added and you can proceed with the installation. The certificates are located on your system and you can check them with the following command:

$ ls -la /etc/letsencrypt/live/DOMAIN.COM/

 

Get the contents of the certificate, private key, and chain with the following commands. Remember to replace certificatemonitor.org with your domain:

$ cat /etc/letsencrypt/live/certificatemonitor.org/cert.pem

$ cat /etc/letsencrypt/live/certificatemonitor.org/privkey.pem

$ cat /etc/letsencrypt/live/certificatemonitor.org/chain.pem

 

After you’ve installed the certificate in the control panel (DirectAdmin), we need to symlink these files to the LetsEncrypt files so that auto renewal will work. We do need to first install them through the control panel so that the configuration gets updated in the correct way. Most control panels overwrite manual changes. Login to your DirectAdmin control panel and navigate to your website. Under “Advanced Options” click “SSL Certificates”. Select the radio button for the “Paste a pre-generated certificate and key” option. In the text field below, first paste the contents of the cert.pem file. Below that, paste the contents of the privkey.pem file.

Letsencrypt

 

 

Click on the Save button. Now return to the main domain screen, and navigate to “Advanced Options” –> “SSL Certificates” again. Scroll down and open the link Click Here to paste a CA Root Certificate. Mark the checkbox “Use a CA Cert”. Paste the contents of the chain.pem file there. Click the Save button. If you haven’t already enabled SSL for your domain, do that now. Navigate to the main domain screen. Click “Domain Setup”. Open your domain. Mark the Secure SSL checkbox and click the save button. Now, under private_html setup for DOMAIN.COM – (SSL must be enabled above) mark the radio button. Use a symbolic link from private_html to public_html – allows for same data in http and https and click the save button again. Now navigate to https://yourdomain and verify the certificate.

 

Leave a Comment