| At line 4 changed one line |
| About Let's Encrypt: It is a certificate authority that provides certificates (only domain-validated certificates) for free. (for more info : [https://letsencrypt.org/how-it-works/])\\ |
| About Let’s Encrypt: It is a certificate authority that provides domain-validated certificates for free. (For more info: [https://letsencrypt.org/how-it-works/])\\ |
| At line 6 added one line |
| The LetsEncrypt plugin allows you to create a Java Keystore file (.jks) that is authorized by the Let’s Encrypt certificate authority. You do not need to install, configure, or use certbot if you are using this plugin.\\ |
| At line 7 changed 3 lines |
| LetsEncrypt plugin allows you to create a java key store file (the .JKS file) authorized by the Let's Encrypt certificate authority. You do not need to install, configure, or do anything with certbot if using this plugin.\\ |
| \\ |
| [attachments|lets_encrypt_header.png] |
| [attachments|lets_encrypt_header.png]\\ |
| At line 12 changed one line |
| Server Instance : To generate certificate for DMZ just specify the DMZ server instance name. The Let's encrypt server will test the given server instance. Leave it empty for normal case. \\ |
| Server Instance: To generate a certificate for a DMZ instance, specify the DMZ server instance name. Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance. |
| At line 14 changed 3 lines |
| Challenge type : Only available on V02.\\ |
| http-01-> It is an http based challenge it requires the CrushFTP to have an HTTP server item available from outside on port 80. Make you sure the https redirect is turned off. V01 can only do http based challenge.\\ |
| tls_alpn-> (!!! Only works with Java 11+) It is a tls based challenge it requires the CrushFTP to have an HTTPS server item available from outside on port 443.\\ |
| Challenge Type: Available only with ACME v2. |
| • http-01 → This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.) |
| • tls_alpn → (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443. |
| At line 18 changed one line |
| Domains : Multiple domains should be separated with a comma.\\ |
| Domains: Multiple domains should be separated with commas. |
| At line 20 changed one line |
| Keystore: Set the location of the jks file by selecting an existing path then appending a file name for the required keystore file.\\ |
| Keystore: Set the location for the .jks file by selecting a valid directory and appending a filename for the keystore. |
| At line 22 changed one line |
| NOTE: the name should end in .jks\\ |
| NOTE: The filename must end in .jks. |
| At line 24 changed one line |
| Staging flag: It is for __test mode__. If the is true it will only generate a dummy jks, not a valid one.\\ |
| Staging Flag: This enables test mode. When true, it only generates a dummy keystore (.jks), not a valid certificate. |
| At line 26 changed one line |
| If the all fields are ready hit the submit, and the jks will be created in the specified key store location.\\ |
| Once all fields are completed, click Submit. The keystore will be created at the specified path. |
| At line 28 changed one line |
| Once done, and full success, there is another step. On Preferences_>Encryption_>SSL page, will need to supply the same full path to the key store (.jks) file and the passwords you entered on the Letsencrypt plugin. The plugin only generates the key store, but doesn't apply it. Once done, test, if successful, save, then restart the HTTPS port or the CrushFTP service, to actually load the cert. Then can test with a browser.\\ |
| After a successful generation, go to Preferences → Encryption → SSL and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically. |
| At line 30 changed one line |
| Will need to click Submit and restart every 60-90 days , because the Let's encrypt cert is valid only for this long.\\ |
| After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser. |
| At line 32 changed 2 lines |
| __Update the certificate automatically:__ It updates the certificate automatically and restarts the https server item ports. Let's encrypt server allows 5-6 tries weekly, we suggest to set the check certificate weekly.\\ |
| __Alert:__ To get notification about failed updates create Plugin Message alert (Preferences -> Alerts). |
| You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration. |
| At line 35 changed one line |
| !!!Troubleshooting\\ |
| Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly. |
| At line 37 changed 4 lines |
| 0. Download replace plugin. Let's Encrypt often has change on the API. |
| 1. Check that your server is reachable through the given domain with http protocol on the default port (80) or on https on the default port (443).\\ |
| 2. Check Staging flag, it is a test mode. Always try first in test mode. Check the Delete account key pair and Delete domain key pair flags and test again.\\ |
| 3. Rewrite the Keystore Password and Key Password, test it again. |
| Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts. |
| \\ |
| !!!Troubleshooting |
| \\ |
|
| 0. Download and replace the plugin — Let’s Encrypt occasionally changes its API.\\ |
| 1. Ensure your server is accessible over HTTP (port 80) or HTTPS (port 443) for the given domain.\\ |
| 2. Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\ |
| 3. Re-enter the Keystore Password and Key Password, and test again.\\ |
| \\ |
