DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Apache or nginx does not start after Let's Encrypt cert renewal

| 14:31:58 16.05.2016

* * * UPDATE: Directadmin 1.50.1 has been already released with a fix inside * * *

If Apache or nginx does not start after Let's Encrypt cert renewal, and you see an error:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/help/domains/") failed 
               (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

with nginx, here is a guide on how to deal with it:

Bug in Directadmin 1.50.0

Unfortunately there is bug in the current version of Directadmin 1.50.0 and Directadmin fails to re-create combined cert on renewal.

I really hope that they will release a new fixed version of DA soon and you will not need to follow instructions bellow. 

Fixing it

Even if you don't get the error and your certs from Let's Encrypt are only about to expire, you'd better not to wait but renew the certs now:

Change Directadmin`s settings to renew certs every 60 days (it will be a default value with new directadmin version):

echo "letsencrypt_renewal_days=60" >> /usr/local/directadmin/conf/directadmin.conf

and restart Directadmin.

Or change creation time to a value in far past:

for file in `ls -1 /usr/local/directadmin/data/users/*/domains/*.cert.creation_time`; do echo -n 100 > $file; done;

and make Directadmin to renew all the certs:

echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue && /usr/local/directadmin/dataskq

Then create a script:

touch /usr/local/directadmin/scripts/custom/
chmod 700 /usr/local/directadmin/scripts/custom/

with the following content:

# Written by (
# A script to re-cerate combined cert for domains with Let's Encrypt SSL Certs.
for san in `ls -1 /usr/local/directadmin/data/users/*/domains/*.san_config`;
    domain=`basename ${san}`;
    dirname=`dirname ${san}`;
    if [ -e "${dirname}/${domain}.cert.creation_time" ] && [ -e "${dirname}/${domain}.cert" ] && [ -e "${dirname}/${domain}.key" ];
        echo "[OK] Found $domain";
        cat "${dirname}/${domain}.cert" "${dirname}/${domain}.cacert" > "${dirname}/${domain}.cert.combined";
        [ -e "${dirname}/${domain}.cert.bundle" ] && cat "${dirname}/${domain}.cert.combined" > "${dirname}/${domain}.cert.bundle";

exit 0;

and run it as root:


With it you will get all the existing SSL certs from Let's Encrypt renewed and updated with correct cert.combined. 

Now run:

apachectl -t


nginx -t

to make sure that everything is fine and restart both of them (or any depending on what server you use).

P.S. Even if Directadmin developers delay with a release of a fixed version you will have next 60-85 days of happy using your SSL certs from Let's Encrypt.

That's it. Have fun.

About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.

All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition