Let's Encrypt automated free SSL certificate installs

การสนับสนุนสำหรับ webhosts ที่ใช้ CentOS
ตอบกลับ
รูปประจำตัวสมาชิก
slwt2002
Administrator
โพสต์: 126
ลงทะเบียนเมื่อ: พุธ 24 มิ.ย. 2015 18:03

Let's Encrypt automated free SSL certificate installs

โพสต์ โดย slwt2002 »

Let's Encrypt automated free SSL certificate installs (SKINS)(LANG)

ติดตั้งแบบ ย่อ

โค้ด: เลือกทั้งหมด

echo letsencrypt=1 >> /usr/local/directadmin/conf/directadmin.conf

โค้ด: เลือกทั้งหมด

cd /usr/local/directadmin/custombuild

โค้ด: เลือกทั้งหมด

./build update

โค้ด: เลือกทั้งหมด

./build letsencrypt

โค้ด: เลือกทั้งหมด

./build rewrite_confs

Functionality for the new Free Certificate Authority:
https://letsencrypt.org/

directadmin.conf option:

โค้ด: เลือกทั้งหมด

letsencrypt=0
where 0 is the internal default.
To enable this feature, use:

โค้ด: เลือกทั้งหมด

letsencrypt=1

Users can then access it from:
User Level -> SSL Certificates

where a 3rd certification creation radio box will be created:
"Free & automatic certificate from Let's Encrypt"
in addition to the other 2 'self-signed' and 'create request' options.

There is an internal variable, set by default to:
letsencrypt_renewal_days=85
you shouldn't need to adjust this.
The certificates are only valid for 90 days, so DA starts trying to renew 85 days in.
It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough.

You can alternatively use:
letsencrypt=2
to use:
/home/user/domains/domain.com/public_html/.well-known
but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1 :)

while:
letsencrypt=1
will use:
to use /var/www/html/.well-known

======================
ACTION REQUIRED
You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:

โค้ด: เลือกทั้งหมด

cd /usr/local/directadmin/custombuild

โค้ด: เลือกทั้งหมด

./build update

โค้ด: เลือกทั้งหมด

./build rewrite_confs
======================
RATE LIMIT

LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time.
https://community.letsencrypt.org/t/qui ... guide/1631

As of Jan 31st, 2016 the rates are:
Rate limit on registrations per IP is now 10 per 3 hours
Rate limit on certificates per Domain is now 5 per 7 days
but once the project becomes "stable", they'll likely increase the allowed rates.

======================
TASK.QUEUE

as mentioned above, the full tally does handle the automated renewals, if they're about to expire.
If you want to run a renewal check manually, you can use:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue

which will call the same function as the full tally calls.
Only domains who's certificates are about to expire will be updated.

======================
SCRIPTS:
/usr/local/directadmin/scripts/letsencrypt.sh

usage:
./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)

but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA.
Note, when you run it through DA, the domain.com.san_config will have more details, than if you run it from ssh (.san_config will be created, but with less info)

======================
CONFIG FILES
/usr/local/directadmin/data/users/username/letsencrypt.key - L.E. account ID for this User. Only created once.
/usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time - contains time L.E. cert was created (to be automatically renewed every 90 days)
/usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config - csr -config request info, used for creation and renewal.
/var/www/html/.well-known/acme-challenge - directory created by DA for the random challenge key file: letsencrypt=1
/home/user/domains/domain.com/public_html/.well-known/acme-challenge - challenge key file if letsencrypt=2
.htaccess - added to either document root to disable mod_rewrite, in case it's enable higher up.


======================
SKINS
user/ssl.html

added a 3rd radiobox:
|*if LETSENCRYPT="1"|
<br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td>
|*endif|

------

Show if LE is in use:
|*if LETSENCRYPT_RENEWAL_DAYS!=""|
<div style='padding: 20px; font-weight: bold;'>|LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL| |LETSENCRYPT_RENEWAL_DAYS| |LANG_LETSENCRYPT_DAYS|.</div>
|*endif|

======================
LANG
lang/en/user/ssl.html
LANG_FREE_LETS_ENCRYPT=Free & automatic certificate from
LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL=Let's Encrypt in use. Auto-renewal in
LANG_LETSENCRYPT_DAYS=Days

lang/en/internal/ssl.txt
28=Let's Encrypt is not enabled. You cannot use this option.
29=Invalid keysize. Valid values: %s
30=Unable to create %s: %s


=====================
TROUBLESHOOTING

Reported issue with curl's ca-certificates where this command was required:

update-ca-certificates

if you see something like this in the output:
Getting challenge for domain.com from acme-server...
/usr/local/directadmin/scripts/letsencrypt.sh: 279: [: Illegal number:
/usr/local/directadmin/scripts/letsencrypt.sh: 295: [: Illegal number:

caused by an empty HTTD_STATUS variable, because of the broken ca-certificates for curl.

Reported issue of DNSSEC possibly causing this error:
"Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for server.domain.com. Exiting...'. "
but only after confirming that the A record for server.domain.com works correctly.
ไม่มีลายเซ็นต์ ขอเขียนแล้วกัน
ตอบกลับ