This is a text-only version of the following page on https://raymii.org:

This is a text-only version of the following page on https://raymii.org:
---
Title : Let's Encrypt with DirectAdmin, now built in!
Author : Remy van Elst
Date : 24-02-2016
URL : https://raymii.org/s/articles/Lets_Encrypt_Directadmin_Now_Built_In.html
Format : Markdown/HTML
---

Let's Encrypt is a new certificate authority, recognized by all major browsers.
They make it a breeze to set up TLS certificates for your web server. And for
free! Let's Encrypt is supported by major players like Mozilla, Akamai, Cisco,
the EFF, the Internet Security Research Group and others. Let's Encrypt provides
free, automatic and secure certificates so that every website can be secured
with an SSL certificate.

I have written [a guide][1] on using Lets Encrypt with Directadmin before, but
that involved manually logging in via SSH and a lot of work.

DirectAdmin now supports Lets Encrypt natively since [version 1.50][2], so no
more ssh fiddling, just via the control panel, for all the users on the server.

 Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below: <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a> 

The previous article still applies and it still works. It's generic enough for
all control panels and non-supported webservers by Let's Encrypt.

So let's get started. We'll do a couple of things, namely:

1. Update Directadmin
2. Enable Let's Encrypt
3. Request a certificate
4. ???
5. Profit!?!??!

After step 3, everything is automatic, including renewals.

Do note that the last step of the article requires you to have set up a website
and a domain already. They must be working and resolving in DNS, because Let's
Encrypt triggers a challenge-response authentication to the domain name.

You can test with a subdomain as well, but make sure to add the subdomain as a
new domain, not as a subdomain (So, Domain Administration, Add a domain,
testsub.example.org). Actual subdomains don't support seperate SSL in
Directadmin.

Do note that I'm not sponsored by Directadmin (Hi John and crew) nor by Let's
Encrypt. I just like them a lot both, Directadmin for being a lightweight but
very easy and functional controlpanel, and Let's Encrypt for their effort to
secure the entire web for free.

### Update Directadmin

![da-le1][4]

Remember when I said no more fiddling with SSH? Well, that part isn't entirely
untrue. You need to login once via SSH to update Directadmin and enable Let's
Encrypt.

You can update Directadmin via the Administrator Settings -> Update / Licensing
page as well, but I like the custombuild method better. Why? Because you can
update the other parts of your server as well and that a general good thing to
do.

Also, you do need to login via SSH and execute a few other steps like enabling
Let's Encrypt and rewriting the configuration files, so you might just as well
login and update via Custombuild.

A friend of mine wrote a [great article on keeping Directadmin up to date][5] on
her website. I'll give you the TL;DR version here, but, if you want to know
more, read her article.

First log in to your server via SSH as root or as a user that can `sudo` to
root. Navigate to the `custombuild` folder:

cd /usr/local/directadmin/custombuild/

Clean up earlier updates to make sure no weird quirks show up:

./build clean all

Update the software list:

./build update

If you want, you can get a list of the updates available:

./build versions | grep is

Output is like this:

DirectAdmin 1.49.1 to 1.50.0 update is available.
cURL 7.46.0 to 7.47.1 update is available.
FreeType 2.6.2 to 2.6.3 update is available.
MySQL 5.6.28 to 5.6.29 update is available.
PHP 5.6 (mod_php) 5.6.17 to 5.6.18 update is available.

Apply the updates:

./build update_versions

If you only want to update Directadmin and not the other updates you can do that
with the following command:

./build update_da

While you're applying updates, do the operating system updates as well:

apt-get update && apt-get upgrade || yum update

The above command will work on both Debian / Ubuntu and CentOS. You will be
asked to confirm the updates before they're installed.

There is one more important thing to do and that is rewriting the configuration.
You need to do this because Directadmin keeps all the challenge-response files
in one place, not for all domains seperate. Directadmin's Custombuild has a
function for this. Do note that if you did any manual changed (not via
Directadmin), they will be lost. Make sure you have a backp. Rewrite the confs,
still in the custombuild folder:

./build rewrite_confs

Now that your server is up to date, continue on to enable Let's Encrypt in
Directadmin.

### Enable Let's Encrypt

Make sure you're still logged in via SSH. You can execute the below command and
it will add the configuration to the Directadmin configuration, but only if it's
not already there:

grep -q 'letsencrypt=1' /usr/local/directadmin/conf/directadmin.conf || echo 'letsencrypt=1' >> /usr/local/directadmin/conf/directadmin.conf

You can also manually edit the file
`/usr/local/directadmin/conf/directadmin.conf` and add the following value:

'letsencrypt=1'

If your server is recent enough, CentOS 6, Ubuntu 12.04 and you run Apache 2.2
or higher, you can also enable `SNI` support ([Server name indication][6]). That
is an extension to the TLS protocol which, simply said, allows you to host
multiple SSL enabled sites on one IP address.

Almost the same command as above, but with another value:

grep -q 'enable_ssl_sni=1' /usr/local/directadmin/conf/directadmin.conf || echo 'enable_ssl_sni=1' >> /usr/local/directadmin/conf/directadmin.conf

After changing the configuration, restart Directadmin:

service directadmin restart

You can check via the web interface if you now have the most recent version:

![da-le2][7]

### Request a certificate

Now that we're all set up we can request a certificate for a website. Do make
sure the user and the package have SSL enabled in their settings, otherwise add
that option to the account.

![da-le3][8]

Log in as the user you want to request the certificate for (either with their
username and password or via the "Admin" -> "Show all users", "username", "Login
as username"). Navigate to "Advanced Features" -> "SSL Certificates".

![da-le4][9]

Make sure the top line says: `SSL is currently enabled for this domain. You can
disable it here.`

If it says `SSL is currently disabled for this domain. You can enable it here.`,
click the `Enable it here` link and turn it on, then go back to the "SSL
Certificates" page.

Select the third option, `Free & automatic certificate from Let's Encrypt` and
fill in the fields below.

![da-le5][10]

If you've set up everything correctly, that meaning updated Directadmin, rewrote
the configuration and enabled Let's Encrypt you should have output like in the
picture below, with a correctly and valid certificate.

![da-le6][11]

You can check if it all worked by using my SSL Check over at
[SSLdecoder.org][12].

Directadmin will also show you that Let's Encrypt is enabled, plus the auto-
renew date.

![da-le7][13]

If you forgot to rewrite the configuration, you might get an error message like
in the picture below. Go back and re-do everything in this tutorial, don't
forget to rewrite the configuration and try again.

![da-le8][14]

That's all there is. Your website is now set up with a certificate for free,
which will auto renew when it's about to expire. You don't have to do anything
or worry about it anymore.

### Profit!?!?!?!

Another subtopic? But we're already done, the site has a certificate and it all
works? I know, I know. There are a few things you might want to do to make sure
it all keeps working in the best state.

First, to make sure the certificate doesn't expire, add your website to the free
[Certificate Expiry Monitor][15] service, one of my other projects. The renew
process should be automatic, but you never know. Even [Google][16] sometimes
forgets to renew certificates, so better to make sure it won't happen to your
sites.

Second, you can optimize all aspects of TLS and make sure it's very secure. I
[have a guide on that for Apache][17], [the Mozilla Foundation][18] has one as
well. Both are very good, explain all aspects and make sure your site is as
secure as possible.

Third, check your score, settings and ratings on an SSL/TLS tester like [SSL
Labs][19] or my own, faster check, [the SSL Decoder][12], which is [open
source][20] as well.

Fourth and last, [If you like this article, consider sponsoring me by trying out
a Digital Ocean VPS. With this link you'll get a $5 VPS for 2 months free (as
in, you get $10 credit). (referral link)][3]

[1]: https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html
[2]: http://www.directadmin.com/features.php?id=1828
[3]: https://www.digitalocean.com/?refcode=7435ae6b8212
[4]: https://raymii.org/s/inc/img/da-le1.png
[5]: http://www.arm-blog.com/keeping-directadmin-server-date/
[6]: https://en.wikipedia.org/wiki/Server_Name_Indication
[7]: https://raymii.org/s/inc/img/da-le2.png
[8]: https://raymii.org/s/inc/img/da-le3.png
[9]: https://raymii.org/s/inc/img/da-le4.png
[10]: https://raymii.org/s/inc/img/da-le5.png
[11]: https://raymii.org/s/inc/img/da-le6.png
[12]: https://ssldecoder.org/
[13]: https://raymii.org/s/inc/img/da-le7.png
[14]: https://raymii.org/s/inc/img/da-le8.png
[15]: https://certificatemonitor.org/
[16]: http://arstechnica.com/information-technology/2015/04/google-let-root-certificate-for-gmail-expire-causing-e-mail-hiccups/
[17]: https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
[18]: https://wiki.mozilla.org/Security/Server_Side_TLS
[19]: https://www.ssllabs.com/ssltest/
[20]: https://github.com/RaymiiOrg/ssl-decoder

---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.