| At line 4 added 7 lines |
| ---- |
| __⚠️ Proxy Configuration:__ if your server accesses the internet through a proxy, ensure that the following Let’s Encrypt domains are whitelisted to allow successful certificate issuance and renewal:\\ |
| - __acme-v02.api.letsencrypt.org__\\ |
| - __acme-staging-v02.api.letsencrypt.org__\\ |
| \\ |
| ---- |
| \\ |
| At line 6 changed one line |
| The LetsEncrypt plugin allows you to create a Java Keystore file (.jks) that is authorized by the Let’s Encrypt certificate authority. You do not need to install, configure, or use certbot if you are using this plugin.\\ |
| The Let’s Encrypt plugin in CrushFTP simplifies certificate management by automatically generating a __Java Keystore (.jks)__ file containing a valid certificate from Let’s Encrypt. This plugin eliminates the need to install or configure external tools like Certbot — everything is handled directly within CrushFTP.\\ |
| At line 11 changed one line |
| __Server Instance__: To generate a certificate for a DMZ instance, specify the DMZ server instance name. Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance.\\ |
| ✅ __Enabled__: Turns the Let’s Encrypt plugin on so it runs and attempts to manage certificates.\\ |
| At line 20 added 7 lines |
| ✅ __Debug__: Enables verbose logging to help diagnose issues during certificate generation or renewal.\\ |
| \\ |
| __ACME Host__: acme-v02.api.letsencrypt.org: The production Let’s Encrypt ACME server for issuing real certificates.\\ |
| __ACME Staging Host__: acme-staging-v02.api.letsencrypt.org: Used for testing — issues dummy certs that aren’t trusted by browsers but avoid hitting rate limits.\\ |
| \\ |
| __Server Instance__: Selects which CrushFTP server instance ([DMZ] node) the certificate should be generated for. Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance.\\ |
| \\ |
| At line 14 changed 2 lines |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.\\ |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible __externally__ on port __80__.\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible __externally__ on port __443__.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates __domain ownership__ via ports __80 (for HTTP-01 challenge)__ or __443 (for TLS-ALPN-01 challenge)__. Other ports (such as 444 or 8080) will not work for certificate issuance.\\ |
| At line 17 changed one line |
| __Domains:__ Multiple domains should be separated with commas.\\ |
| __Related CrushFTP Server port__: Must match the HTTPS port configured in your CrushFTP server item. Defaults to 443.\\ |
| At line 19 changed one line |
| __Keystore:__ Set the location for the .jks file by selecting a valid directory and appending a filename for the keystore. |
| Notes: Freeform text field. Internal documentation or notes only. Has no effect on behavior.\\ |
| At line 21 changed one line |
| __NOTE:__ The filename must end in .jks.\\ |
| __Domains:__ Enter one or more domains, comma-separated. Example:\\ |
| {{{ |
| example.com,ftp.example.com |
| }}}\\ |
| At line 23 changed one line |
| __Staging Flag:__ This enables test mode. When true, it only generates a dummy keystore (.jks), not a valid certificate.\\ |
| __Keystore:__ Path (URL-style) to the .jks file that will be created/used to store the Let’s Encrypt certificate. |
| Example: |
| {{{file://var/opt/CrushFTP11/letsencrypt_keystore.jks}}}\\ |
| ⚠️ Must end in .jks\\ |
| At line 25 changed one line |
| Once all fields are completed, click Submit. The keystore will be created at the specified path.\\ |
| __Keystore Password / Key Password__: Passwords used to protect:\\ |
| • The Java Keystore (Keystore Password)\\ |
| • The private key inside the keystore (Key Password)\\ |
| 🔐 These must be remembered for configuring [SSL] later in Preferences.\\ |
| At line 27 changed one line |
| After a successful generation, go to __Preferences → Encryption → SSL__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| __Organization Unit, Locality, State, Country Code, Email__: Used to populate the subject information in the certificate request (CSR). __Email__ is required by Let’s Encrypt and used for expiration notices.\\ |
| At line 29 changed one line |
| After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser. |
| __Optional Checkboxes__:\\ |
| • __Ignore Failing “Not a CrushFTP Server”:__ Skips verification that the target is a valid CrushFTP server. Use if the check causes problems and you’re sure the server is correct.\\ |
| • __Skip all pre-checks (DNS, CrushFTP server, etc)__: Bypasses all preliminary checks. Useful for troubleshooting.\\ |
| • __Replicate?__: Used in clustered environments. If enabled, the cert is also replicated to slave/replica nodes.\\ |
| At line 31 changed one line |
| You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration.\\ |
| Once all fields are completed, click the __Test__ button to validate your configuration. If the test is successful, click __Submit__ to generate the keystore at the specified location.\\ |
| At line 33 changed one line |
| Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly. |
| ✅__ Update the certificate automatically:__ Enables auto-renewal of the Let’s Encrypt certificate.\\ |
| __Update certs before__: __5__ days -> Starts renewal process 5 days before expiration.\\ |
| __Check certificate every__: __5__ days -> Interval between certificate validity checks.\\ |
| __Update info__: Shows the last time the certificate was checked.\\ |
| __Execute CrushTask/Job after cert renew__: After a successful renewal, runs a [CrushTask] or Job by name. Useful for actions like sending alerts.\\ |
| At line 35 changed one line |
| Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts. |
| ⚠️__Note:__ After a successful generation, go to __Preferences → Encryption → [SSL]__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| At line 68 added 5 lines |
| __Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration. ⚠️ Use this only after the __Test button__ has confirmed a successful setup.\\ |
| __Test Button:__ Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. ⚠️ Always use this first to ensure your settings are correct.\\ |
| \\ |
| __Alert__: To receive notifications about failed certificate updates, create a __Plugin Message__ alert under __Preferences → Alerts__. |
| \\ |
| At line 39 changed 5 lines |
|
| 0. Download and replace the plugin — Let’s Encrypt occasionally changes its API.\\ |
| 1. Ensure your server is accessible over HTTP (port 80) or HTTPS (port 443) for the given domain.\\ |
| 2. Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\ |
| 3. Re-enter the Keystore Password and Key Password, and test again.\\ |
| __1.)__ Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\ |
| You can verify this by using a simple command like:\\ |
| {{{ |
| telnet yourdomain.com 80 |
| or |
| telnet yourdomain.com 443 |
| }}}\\ |
| If the connection succeeds, the port is open and reachable. If it fails, check your firewall, port forwarding, or network settings to ensure external access is allowed. |
| You can also use [yougetsignal open ports test link|https://www.yougetsignal.com/tools/open-ports/] to test your domain’s open ports from the internet.\\ |
| If the test fails:\\ |
| • Check your router’s port forwarding rules\\ |
| • Ensure no firewall (local or network) is blocking access\\ |
| • Confirm that CrushFTP is listening on the required ports in your Server Items\\ |
| At line 89 added 56 lines |
| __2.)__ Verify that the domain and ports point to the correct CrushFTP instance. Make sure the DNS for your domain resolves to the correct public IP address of your CrushFTP server.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates domain ownership via ports __80__ or __443__, depending on the challenge type selected. Other ports (e.g., 444, 8080) will not work for certificate issuance.\\ |
| \\ |
| __3.)__Use test mode first: Always click the Test button before making a real certificate request. This validates your configuration and helps avoid hitting Let’s Encrypt rate limits during setup.\\ |
| \\ |
| __4.)__ Check the main CrushFTP.log for errors, especially rate limit issues. Look for entries such as __LetsEncrypt:Challenge result__ that may include error details.\\ |
| \\ |
| __Common Let’s Encrypt rate limit error types__:\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many certificates already issued for exact set of domains: example.com,www.example.com: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new account :: too many registrations for this IP :: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| Let’s Encrypt enforces strict rate limits to prevent abuse. If your request fails, check the logs for messages indicating you’ve hit a rate limit.\\ |
| Below are common limits and their reset windows:\\ |
| -__Duplicate Certificate Limit__:\\ |
| • Limit: 5 identical certificates per domain per week\\ |
| • Reset: 7 days after the first certificate issuance\\ |
| -__Certificates per Registered Domain__:\\ |
| • Limit: 50 new certificates per week for the same base domain (e.g., example.com)\\ |
| • Reset: 7 days\\ |
| -__Failed Validation Attempts__\\ |
| • Limit: 5 failed validation attempts per account, per hostname, per hour\\ |
| • Reset: After 1 hour\\ |
| -__Account Creation Limit__:\\ |
| • Limit: 10 new accounts per IP address every 3 hours\\ |
| • Reset: After 3 hours\\ |
| \\ |
