| At line 4 added 7 lines |
| ---- |
| __⚠️ Proxy Configuration:__ if your server accesses the internet through a proxy, ensure that the following Let’s Encrypt domains are whitelisted to allow successful certificate issuance and renewal:\\ |
| - __acme-v02.api.letsencrypt.org__\\ |
| - __acme-staging-v02.api.letsencrypt.org__\\ |
| \\ |
| ---- |
| \\ |
| At line 21 changed 2 lines |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.\\ |
| • http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible __externally__ on port __80__.\\ |
| • tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible __externally__ on port __443__.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates __domain ownership__ via ports __80 (for HTTP-01 challenge)__ or __443 (for TLS-ALPN-01 challenge)__. Other ports (such as 444 or 8080) will not work for certificate issuance.\\ |
| At line 30 changed one line |
| example.com,www.example.com,ftp.example.com |
| example.com,ftp.example.com |
| At line 36 changed one line |
| 💡 Must end in .jks\\ |
| ⚠️ Must end in .jks\\ |
| At line 38 changed one line |
| __Keystore Password / Key Password__:Passwords used to protect:\\ |
| __Keystore Password / Key Password__: Passwords used to protect:\\ |
| At line 45 removed 2 lines |
| Once all fields are completed, click Submit. The keystore will be created at the specified path.\\ |
| \\ |
| At line 58 added 2 lines |
| Once all fields are completed, click the __Test__ button to validate your configuration. If the test is successful, click __Submit__ to generate the keystore at the specified location.\\ |
| \\ |
| At line 58 changed one line |
| After a successful generation, go to __Preferences → Encryption → SSL__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| ⚠️__Note:__ After a successful generation, go to __Preferences → Encryption → [SSL]__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\ |
| At line 60 changed 2 lines |
| __Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration.\\ |
| __Test Button:__ Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. Always use this first to ensure your settings are correct.\\ |
| __Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration. ⚠️ Use this only after the __Test button__ has confirmed a successful setup.\\ |
| __Test Button:__ Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. ⚠️ Always use this first to ensure your settings are correct.\\ |
| At line 63 changed one line |
| After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser. |
| __Alert__: To receive notifications about failed certificate updates, create a __Plugin Message__ alert under __Preferences → Alerts__. |
| At line 65 changed one line |
| You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration.\\ |
| !!!Troubleshooting |
| At line 67 changed one line |
| Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly. |
| __1.)__ Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\ |
| You can verify this by using a simple command like:\\ |
| {{{ |
| telnet yourdomain.com 80 |
| or |
| telnet yourdomain.com 443 |
| }}}\\ |
| If the connection succeeds, the port is open and reachable. If it fails, check your firewall, port forwarding, or network settings to ensure external access is allowed. |
| You can also use [yougetsignal open ports test link|https://www.yougetsignal.com/tools/open-ports/] to test your domain’s open ports from the internet.\\ |
| If the test fails:\\ |
| • Check your router’s port forwarding rules\\ |
| • Ensure no firewall (local or network) is blocking access\\ |
| • Confirm that CrushFTP is listening on the required ports in your Server Items\\ |
| At line 69 changed one line |
| Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts. |
| __2.)__ Verify that the domain and ports point to the correct CrushFTP instance. Make sure the DNS for your domain resolves to the correct public IP address of your CrushFTP server.\\ |
| __⚠️ Note:__ Let’s Encrypt only validates domain ownership via ports __80__ or __443__, depending on the challenge type selected. Other ports (e.g., 444, 8080) will not work for certificate issuance.\\ |
| At line 71 changed one line |
| !!!Troubleshooting |
| __3.)__Use test mode first: Always click the Test button before making a real certificate request. This validates your configuration and helps avoid hitting Let’s Encrypt rate limits during setup.\\ |
| At line 73 changed 3 lines |
| __1.)__ Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\ |
| __2.)__ Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\ |
| __3.)__ Re-enter the Keystore Password and Key Password, and test again.\\ |
| __4.)__ Check the main CrushFTP.log for errors, especially rate limit issues. Look for entries such as __LetsEncrypt:Challenge result__ that may include error details.\\ |
| At line 96 added 49 lines |
| __Common Let’s Encrypt rate limit error types__:\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many certificates already issued for exact set of domains: example.com,www.example.com: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| {{{ |
| SERVER|LetsEncrypt:Challenge result: { |
| "type": "tls-alpn-01", |
| "status": "invalid", |
| "error": { |
| "type": "urn:ietf:params:acme:error:rateLimited", |
| "detail": "Error creating new account :: too many registrations for this IP :: see https://letsencrypt.org/docs/rate-limits/", |
| "status": 429 |
| } |
| } |
| }}}\\ |
| Let’s Encrypt enforces strict rate limits to prevent abuse. If your request fails, check the logs for messages indicating you’ve hit a rate limit.\\ |
| Below are common limits and their reset windows:\\ |
| -__Duplicate Certificate Limit__:\\ |
| • Limit: 5 identical certificates per domain per week\\ |
| • Reset: 7 days after the first certificate issuance\\ |
| -__Certificates per Registered Domain__:\\ |
| • Limit: 50 new certificates per week for the same base domain (e.g., example.com)\\ |
| • Reset: 7 days\\ |
| -__Failed Validation Attempts__\\ |
| • Limit: 5 failed validation attempts per account, per hostname, per hour\\ |
| • Reset: After 1 hour\\ |
| -__Account Creation Limit__:\\ |
| • Limit: 10 new accounts per IP address every 3 hours\\ |
| • Reset: After 3 hours\\ |
| \\ |
