\\
!!LetsEncrypt plugin
\\
__About Let’s Encrypt__: Let’s Encrypt is a free, automated, and open certificate authority (CA) that issues domain-validated (DV) TLS/SSL certificates to help secure websites and services. Learn more at [Let’s Encrypt Link|https://letsencrypt.org/how-it-works].\\
\\
The Let’s Encrypt plugin in CrushFTP simplifies certificate management by automatically generating a __Java Keystore (.jks)__ file containing a valid certificate from Let’s Encrypt. This plugin eliminates the need to install or configure external tools like Certbot — everything is handled directly within CrushFTP.\\
\\
[attachments|lets_encrypt_header.png]\\
[attachments|lets_encrypt.png]\\
\\
✅ __Enabled__: Turns the Let’s Encrypt plugin on so it runs and attempts to manage certificates.\\
\\
✅ __Debug__: Enables verbose logging to help diagnose issues during certificate generation or renewal.\\
\\
__ACME Host__: acme-v02.api.letsencrypt.org: The production Let’s Encrypt ACME server for issuing real certificates.\\
__ACME Staging Host__: acme-staging-v02.api.letsencrypt.org: Used for testing — issues dummy certs that aren’t trusted by browsers but avoid hitting rate limits.\\
\\	
__Server Instance__: Selects which CrushFTP server instance ([DMZ] node) the certificate should be generated for.  Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance.\\
\\
__Challenge Type:__ Available only with ACME v2.\\
• http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)\\
• tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.\\
\\
__Related CrushFTP Server port__: Must match the HTTPS port configured in your CrushFTP server item. Defaults to 443.\\
\\
Notes: Freeform text field. Internal documentation or notes only. Has no effect on behavior.\\
\\
__Domains:__ Enter one or more domains, comma-separated. Example:\\
{{{
 example.com,www.example.com,ftp.example.com
 }}}\\
\\
__Keystore:__ Path (URL-style) to the .jks file that will be created/used to store the Let’s Encrypt certificate.
Example: 
{{{file://var/opt/CrushFTP11/letsencrypt_keystore.jks}}}\\
💡 Must end in .jks\\
\\
__Keystore Password / Key Password__:Passwords used to protect:\\
• The Java Keystore (Keystore Password)\\
• The private key inside the keystore (Key Password)\\
🔐 These must be remembered for configuring [SSL] later in Preferences.\\
\\
__Organization Unit, Locality, State, Country Code, Email__: Used to populate the subject information in the certificate request (CSR). __Email__ is required by Let’s Encrypt and used for expiration notices.\\
\\
Once all fields are completed, click Submit. The keystore will be created at the specified path.\\
\\
__Optional Checkboxes__:\\
• __Ignore Failing “Not a CrushFTP Server”:__ Skips verification that the target is a valid CrushFTP server. Use if the check causes problems and you’re sure the server is correct.\\
•  __Skip all pre-checks (DNS, CrushFTP server, etc)__: Bypasses all preliminary checks. Useful for troubleshooting.\\
• __Replicate?__: Used in clustered environments. If enabled, the cert is also replicated to slave/replica nodes.\\
\\
✅__ Update the certificate automatically:__ Enables auto-renewal of the Let’s Encrypt certificate.\\
__Update certs before__: __5__ days -> Starts renewal process 5 days before expiration.\\
__Check certificate every__: __5__ days -> Interval between certificate validity checks.\\
__Update info__: Shows the last time the certificate was checked.\\
__Execute CrushTask/Job after cert renew__: After a successful renewal, runs a [CrushTask] or Job by name. Useful for actions like sending alerts.\\
\\
After a successful generation, go to __Preferences → Encryption → SSL__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\
\\
__Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration.\\
__Test Button:__  Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. Always use this first to ensure your settings are correct.\\
\\
After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser.
\\
You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration.\\
\\
Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly.
\\
Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts.
\\
!!!Troubleshooting
\\
__1.)__	Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\
__2.)__	Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\
__3.)__	Re-enter the Keystore Password and Key Password, and test again.\\
\\