| At line 4 added 7 lines |
| ---- |
| __⚠️ Proxy Configuration:__ if your server accesses the internet through a proxy, ensure that the following Let’s Encrypt domains are whitelisted to allow successful certificate issuance and renewal:\\ |
| - __acme-v02.api.letsencrypt.org__\\ |
| - __acme-staging-v02.api.letsencrypt.org__\\ |
| \\ |
| ---- |
| \\ |
| At line 21 changed 2 lines |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.\\ |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible __externally__ on port __80__.\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible __externally__ on port __443__.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates __domain ownership__ via ports __80 (for HTTP-01 challenge)__ or __443 (for TLS-ALPN-01 challenge)__. Other ports (such as 444 or 8080) will not work for certificate issuance.\\ |
| At line 30 changed one line |
| example.com,www.example.com,ftp.example.com |
| example.com,ftp.example.com |
| At line 36 changed one line |
| 💡 Must end in .jks\\ |
| ⚠️ Must end in .jks\\ |
| At line 38 changed one line |
| __Keystore Password / Key Password__:Passwords used to protect:\\ |
| __Keystore Password / Key Password__: Passwords used to protect:\\ |
| At line 43 changed one line |
| __Staging Flag:__ This enables test mode. When true, it only generates a dummy keystore (.jks), not a valid certificate.\\ |
| __Organization Unit, Locality, State, Country Code, Email__: Used to populate the subject information in the certificate request (CSR). __Email__ is required by Let’s Encrypt and used for expiration notices.\\ |
| At line 45 changed one line |
| Once all fields are completed, click Submit. The keystore will be created at the specified path.\\ |
| __Optional Checkboxes__:\\ |
| • __Ignore Failing “Not a CrushFTP Server”:__ Skips verification that the target is a valid CrushFTP server. Use if the check causes problems and you’re sure the server is correct.\\ |
| • __Skip all pre-checks (DNS, CrushFTP server, etc)__: Bypasses all preliminary checks. Useful for troubleshooting.\\ |
| • __Replicate?__: Used in clustered environments. If enabled, the cert is also replicated to slave/replica nodes.\\ |
| At line 47 changed one line |
| After a successful generation, go to __Preferences → Encryption → SSL__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| Once all fields are completed, click the __Test__ button to validate your configuration. If the test is successful, click __Submit__ to generate the keystore at the specified location.\\ |
| At line 49 changed one line |
| After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser. |
| ✅__ Update the certificate automatically:__ Enables auto-renewal of the Let’s Encrypt certificate.\\ |
| __Update certs before__: __5__ days -> Starts renewal process 5 days before expiration.\\ |
| __Check certificate every__: __5__ days -> Interval between certificate validity checks.\\ |
| __Update info__: Shows the last time the certificate was checked.\\ |
| __Execute CrushTask/Job after cert renew__: After a successful renewal, runs a [CrushTask] or Job by name. Useful for actions like sending alerts.\\ |
| At line 51 changed one line |
| You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration.\\ |
| ⚠️__Note:__ After a successful generation, go to __Preferences → Encryption → [SSL]__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| At line 53 changed one line |
| Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly. |
| __Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration. ⚠️ Use this only after the __Test button__ has confirmed a successful setup.\\ |
| __Test Button:__ Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. ⚠️ Always use this first to ensure your settings are correct.\\ |
| At line 55 changed one line |
| Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts. |
| __Alert__: To receive notifications about failed certificate updates, create a __Plugin Message__ alert under __Preferences → Alerts__. |
| At line 59 changed 5 lines |
|
| __0.)__ Download and replace the plugin — Let’s Encrypt occasionally changes its API.\\ |
| __1.)__ Ensure your server is accessible over HTTP (port 80) or HTTPS (port 443) for the given domain.\\ |
| __2.)__ Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\ |
| __3.)__ Re-enter the Keystore Password and Key Password, and test again.\\ |
| __1.)__ Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\ |
| You can verify this by using a simple command like:\\ |
| {{{ |
| telnet yourdomain.com 80 |
| or |
| telnet yourdomain.com 443 |
| }}}\\ |
| If the connection succeeds, the port is open and reachable. If it fails, check your firewall, port forwarding, or network settings to ensure external access is allowed. |
| You can also use [yougetsignal open ports test link|https://www.yougetsignal.com/tools/open-ports/] to test your domain’s open ports from the internet.\\ |
| If the test fails:\\ |
| • Check your router’s port forwarding rules\\ |
| • Ensure no firewall (local or network) is blocking access\\ |
| • Confirm that CrushFTP is listening on the required ports in your Server Items\\ |
| At line 89 added 56 lines |
| __2.)__ Verify that the domain and ports point to the correct CrushFTP instance. Make sure the DNS for your domain resolves to the correct public IP address of your CrushFTP server.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates domain ownership via ports __80__ or __443__, depending on the challenge type selected. Other ports (e.g., 444, 8080) will not work for certificate issuance.\\ |
| \\ |
| __3.)__Use test mode first: Always click the Test button before making a real certificate request. This validates your configuration and helps avoid hitting Let’s Encrypt rate limits during setup.\\ |
| \\ |
| __4.)__ Check the main CrushFTP.log for errors, especially rate limit issues. Look for entries such as __LetsEncrypt:Challenge result__ that may include error details.\\ |
| \\ |
| __Common Let’s Encrypt rate limit error types__:\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many certificates already issued for exact set of domains: example.com,www.example.com: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new account :: too many registrations for this IP :: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| Let’s Encrypt enforces strict rate limits to prevent abuse. If your request fails, check the logs for messages indicating you’ve hit a rate limit.\\ |
| Below are common limits and their reset windows:\\ |
| -__Duplicate Certificate Limit__:\\ |
| • Limit: 5 identical certificates per domain per week\\ |
| • Reset: 7 days after the first certificate issuance\\ |
| -__Certificates per Registered Domain__:\\ |
| • Limit: 50 new certificates per week for the same base domain (e.g., example.com)\\ |
| • Reset: 7 days\\ |
| -__Failed Validation Attempts__\\ |
| • Limit: 5 failed validation attempts per account, per hostname, per hour\\ |
| • Reset: After 1 hour\\ |
| -__Account Creation Limit__:\\ |
| • Limit: 10 new accounts per IP address every 3 hours\\ |
| • Reset: After 3 hours\\ |
| \\ |
