Directadmin – server-<YOUR IP>.da.direct was skipped due to unreachableDirectadmin

I just migrated Directadmin server to a new one. On the new one, there was some temporary hostname, that I guess Directadmin provides. It was http://server-<IP ADDRESS>.da.direct. I changed hostname of machine and did everything, but wasn’t able to generate Letsencrypt certificate for my directadmin server hostname. 

When try to generate certificate I was getting error below. I rewrite configs, run changehostname.sh, did all sort of things, but wasn’t able to get pass this error:

[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
server-1-1-1-1da.direct was skipped due to unreachable http://server-1-1-1-1.da.direct/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

After an hour, I found this answer from gentleman named “zEitEr”. I guess, when I setup new Directadmin server on temporary IP, acme account for letsencrypt was created with directadmins temporary hostname – server-<MY IP ADDRESS>.da.direct. What I did, was removed all letsencrypt accounts and regenerated them:

[root@da ~]# rm -rf /usr/local/directadmin/data/.lego/*
[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
2024/02/16 13:31:42 No key found for account admin@my.dahostname.comGenerating a 4096 key.
2024/02/16 13:31:45 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@my.dahostname.com/keys/admin@my.dahostname.com.key
2024/02/16 13:31:45 [INFO] acme: Registering account for admin@my.dahostname.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/02/16 13:31:45 [INFO] [my.dahostname.com] acme: Obtaining SAN certificate
2024/02/16 13:31:46 [INFO] [my.dahostname.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/315898412537
...
Certificate for my.dahostname.com has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
...

Hope that helps to save some nerves. Thanks to zEitEr

Directadmin – build GeoIP2 in Directadmin’s NGINX and create country blocking for vhosts.

GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.

Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).

So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.

Check which NGINX version is installed on your server

[root@da nginx]# nginx -v
nginx version: nginx/1.23.1

Continue Reading

Letsencrypt/certbot fails when proxying with Apache ProxyPass

I had an issue on Directadmin server where client had nodejs application for which apache had to proxy on port 3001. Becouse of this, letsencrypt was not able to reach .well-known/acme-challenge/ and certificate registration/renewal failed. Solution is simple, you have to exclude proxy when requesting .well-known/acme-challenge/.

This was error whent trying to check .well-known/acme-challenge:

$ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
{"errors":[{"message":"Route /.well-known/test.txt doesn't exist.","extensions":{"code":"ROUTE_NOT_FOUND"}}]}%

So I added “ProxyPass !” directive just before where I create proxy directive to port 3001. Like so:

. . .
<Location /.well-known/acme-challenge>
   ProxyPass !
</Location>

<Location />
Require all granted
   ProxyPass http://127.0.0.1:3000/
   ProxyPassReverse http://127.0.0.1:3000/
</Location>
. . . 

Then I was able tu make request to .well-known/acme-challenge sucsessfully:

> $ curl http://mydomain.com/.well-known/acme-challenge/test.txt 
It works!

I hope this helps! 🙂

Directadmin – x509: certificate signed by unknown authority – Letsencrypt

DST Root CA X3 expired on September 30, 2021. Because of this I got invalid certificate error when visiting Directadmin login in Chrome. Certificate itself was valid. CA certificate is problem. What you have to do is update system CA certificates. Also update letsencrypt via custombuild if you didn’t already.

Error was:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh renew my.server.com
Setting up certificate for a hostname: my.server.com
2021/09/30 14:49:15 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority
Certificate generation failed.

You have to update system CA certificates ( Centos in this case ):

[root@server ~]# yum install ca-certificates -y
....
[root@server ~]# update-ca-trust

Then try to create new certificate for server hostname:

[root@server]# /usr/local/directadmin/scripts/letsencrypt.sh request_single my.server.com 4096
Setting up certificate for a hostname: my.server.com
2021/09/30 14:51:50 [INFO] [my.server.com] acme: Obtaining SAN certificate
2021/09/30 14:51:51 [INFO] [my.server.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/35702261650
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Could not find solver for: tls-alpn-01
2021/09/30 14:51:51 [INFO] [my.server.com] acme: use http-01 solver
2021/09/30 14:51:51 [INFO] [my.server.com] acme: Trying to solve HTTP-01
2021/09/30 14:51:57 [INFO] [my.server.com] The server validated our request
2021/09/30 14:51:57 [INFO] [my.server.com] acme: Validations succeeded; requesting certificates
2021/09/30 14:52:01 [INFO] [my.server.com] Server responded with a certificate.
Certificate for my.server.com has been created successfully!
DirectAdmin certificate has been setup.
...

SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Nice way to do HTTP to HTTPS redirection with Apache .htaccess

I had some sites on shared hosting environment for which I had to do http to https redirection with .htaccess file. I did 302 redirection intentionally so that in case of error, browser doesn’t cache redirection. You can aslo make permanent 301 redirect if needed.

This is nice and simple way to do it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]

Multidomain webroot for Letsencrypt with NGINX

If you have web server on which there is a lot of virtual hosts, you may want to have one webroot directory for Letsencrypt SSL certificates only. So when Letsencrypt will make the requests for SSL registration or renewal, it will look in this directory. In this case I did this on CentOS 7 with NGINX web server.

First, let’s create directory what will be used for letsencrypt purposes. It must be writable by your web server user. You can define different path.

[root@machine ~]# mkdir -p /var/www/le-certs
[root@machine ~]# chown -R wwwuser:wwwgroup /var/www/le-certs

Letsencrypt will need access in “.well-known/acme-challenge”. For NGINX add something like this in your server block for desired virtual host.

location ~ /.well-known/acme-challenge/ {
             root /var/www/le-certs/;
             break;
}

You can also create new file named, for example le-config.conf and add block above in to it. Then you can simply include this line in your virtual hosts. 

server {
             listen :443 ssl http2;
             server_name mywebsite.com www.mywebsite.com;
             root /var/www/mywebsite/;

             include le-config.conf;
              ...
}

 

 

cPanel: Your server does not support the connection encryption type you have specified

If you’re getting message like “Your server does not support the connection encryption type you have specified” when try to set up email in your Outlook, then chances are that your cPanel mail server has disabled some needed encryption types.

By default, cPanel disables all those protocols: SSLv2, SSLv3, TLSv1, TLSv1.1. SSL2 and SSL3 should be disabled at all costs, but you may not get away with TLS 1.1 or even TLS 1 being disabled.

To enable TLS 1 and TLS 1.1 in your Exim, login as admin in your cpanel and then: Home -> Service Configuration -> Exim Configuration Manager. Select second option so you can insert your own directives and add this:

 +no_sslv2 +no_sslv3

Pure-FTPd: install valid SSL certificate / solve untrusted localhost certificate problem on CentOS 7

If you installed Pure-FTPD on your CentOS 7 machine and trying to install SSL certificate on it, chances are that you added your pem file to “/etc/ssl/private/”. I installed valid certificate in this directory and still getting untrusted warning for localhost certificate. Later, I found out that this path is wrong and self signed certificate was being used. Right path on CentOS 7 is “/etc/pki/pure-ftpd/”.

Here is how to do it right on Centos.

  • Create pem certificate that contains your key, crt and intermediate all in one file – pure-ftpd.pem
  • Move this certificate to /etc/pki/pure-ftpd/ as this is the right directory on CentOS.
  • In your pure-ftpd.conf, set TLS to 2.
  • Enable PassivePortRange from 30000 – 65000.
  • Restart pure-ftpd.

It should work.

RoundCube: Could not save new password. Connection error. Recv failure: Connection reset by peer

If you’re having trouble when try to change your email password in Roundcube on your Directadmin installation, than error will be probably something like this:

Could not save new password. Connection error. Recv failure: Connection reset by peer

Solution is simple. Just open Roundcube configuration file (/var/www/html/roundcube/plugins/password/config.inc.php) and find:

$rcmail_config['password_directadmin_host'] = 'tls://localhost';

then, change it to:

$rcmail_config['password_directadmin_host'] = 'ssl://localhost';

It should work.

© 2024 geegkytuts.net
Hosted by SIEL


About author