* * * UPDATE: Directadmin 1.50.1 has been already released with a fix inside * * *
If Apache or nginx does not start after Let's Encrypt cert renewal, and you see an error:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/help/domains/help.poralix.com.key") failed
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
with nginx, here is a guide on how to deal with it:
Unfortunately there is bug in the current version of Directadmin 1.50.0 and Directadmin fails to re-create combined cert on renewal.
I really hope that they will release a new fixed version of DA soon and you will not need to follow instructions bellow.
Even if you don't get the error and your certs from Let's Encrypt are only about to expire, you'd better not to wait but renew the certs now:
Change Directadmin`s settings to renew certs every 60 days (it will be a default value with new directadmin version):
echo "letsencrypt_renewal_days=60" >> /usr/local/directadmin/conf/directadmin.conf
and restart Directadmin.
Or change creation time to a value in far past:
for file in `ls -1 /usr/local/directadmin/data/users/*/domains/*.cert.creation_time`; do echo -n 100 > $file; done;
and make Directadmin to renew all the certs:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue && /usr/local/directadmin/dataskq
Then create a script:
touch /usr/local/directadmin/scripts/custom/recreate_ssl_combined.sh chmod 700 /usr/local/directadmin/scripts/custom/recreate_ssl_combined.sh
with the following content:
#!/bin/bash
#
# Written by poralix.com (support@poralix.com)
# A script to re-cerate combined cert for domains with Let's Encrypt SSL Certs.
#
for san in `ls -1 /usr/local/directadmin/data/users/*/domains/*.san_config`;
do
domain=`basename ${san}`;
dirname=`dirname ${san}`;
domain=${domain%.san_config};
if [ -e "${dirname}/${domain}.cert.creation_time" ] && [ -e "${dirname}/${domain}.cert" ] && [ -e "${dirname}/${domain}.key" ];
then
echo "[OK] Found $domain";
cat "${dirname}/${domain}.cert" "${dirname}/${domain}.cacert" > "${dirname}/${domain}.cert.combined";
[ -e "${dirname}/${domain}.cert.bundle" ] && cat "${dirname}/${domain}.cert.combined" > "${dirname}/${domain}.cert.bundle";
fi;
done;
exit 0;
and run it as root:
/usr/local/directadmin/scripts/custom/recreate_ssl_combined.sh
With it you will get all the existing SSL certs from Let's Encrypt renewed and updated with correct cert.combined.
Now run:
apachectl -t
and/or
nginx -t
to make sure that everything is fine and restart both of them (or any depending on what server you use).
P.S. Even if Directadmin developers delay with a release of a fixed version you will have next 60-85 days of happy using your SSL certs from Let's Encrypt.
That's it. Have fun.