\\
!!LetsEncrypt plugin
\\
----
__⚠️ Proxy Configuration:__ f your server accesses the internet through a proxy, ensure that the following Let’s Encrypt domains are whitelisted to allow successful certificate issuance and renewal:\\
- __acme-v02.api.letsencrypt.org__\\
- __acme-staging-v02.api.letsencrypt.org__\\ 
\\
----
\\
__About Let’s Encrypt__: Let’s Encrypt is a free, automated, and open certificate authority (CA) that issues domain-validated (DV) TLS/SSL certificates to help secure websites and services. Learn more at [Let’s Encrypt Link|https://letsencrypt.org/how-it-works].\\
\\
The Let’s Encrypt plugin in CrushFTP simplifies certificate management by automatically generating a __Java Keystore (.jks)__ file containing a valid certificate from Let’s Encrypt. This plugin eliminates the need to install or configure external tools like Certbot — everything is handled directly within CrushFTP.\\
\\
[attachments|lets_encrypt_header.png]\\
[attachments|lets_encrypt.png]\\
\\
✅ __Enabled__: Turns the Let’s Encrypt plugin on so it runs and attempts to manage certificates.\\
\\
✅ __Debug__: Enables verbose logging to help diagnose issues during certificate generation or renewal.\\
\\
__ACME Host__: acme-v02.api.letsencrypt.org: The production Let’s Encrypt ACME server for issuing real certificates.\\
__ACME Staging Host__: acme-staging-v02.api.letsencrypt.org: Used for testing — issues dummy certs that aren’t trusted by browsers but avoid hitting rate limits.\\
\\	
__Server Instance__: Selects which CrushFTP server instance ([DMZ] node) the certificate should be generated for.  Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance.\\
\\
__Challenge Type:__ Available only with ACME v2.\\
• http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)\\
• tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.\\
\\
__Related CrushFTP Server port__: Must match the HTTPS port configured in your CrushFTP server item. Defaults to 443.\\
\\
Notes: Freeform text field. Internal documentation or notes only. Has no effect on behavior.\\
\\
__Domains:__ Enter one or more domains, comma-separated. Example:\\
{{{
 example.com,www.example.com,ftp.example.com
 }}}\\
\\
__Keystore:__ Path (URL-style) to the .jks file that will be created/used to store the Let’s Encrypt certificate.
Example: 
{{{file://var/opt/CrushFTP11/letsencrypt_keystore.jks}}}\\
⚠️ Must end in .jks\\
\\
__Keystore Password / Key Password__:Passwords used to protect:\\
• The Java Keystore (Keystore Password)\\
• The private key inside the keystore (Key Password)\\
🔐 These must be remembered for configuring [SSL] later in Preferences.\\
\\
__Organization Unit, Locality, State, Country Code, Email__: Used to populate the subject information in the certificate request (CSR). __Email__ is required by Let’s Encrypt and used for expiration notices.\\
\\
Once all fields are completed, click Submit. The keystore will be created at the specified path.\\
\\
__Optional Checkboxes__:\\
• __Ignore Failing “Not a CrushFTP Server”:__ Skips verification that the target is a valid CrushFTP server. Use if the check causes problems and you’re sure the server is correct.\\
•  __Skip all pre-checks (DNS, CrushFTP server, etc)__: Bypasses all preliminary checks. Useful for troubleshooting.\\
• __Replicate?__: Used in clustered environments. If enabled, the cert is also replicated to slave/replica nodes.\\
\\
✅__ Update the certificate automatically:__ Enables auto-renewal of the Let’s Encrypt certificate.\\
__Update certs before__: __5__ days -> Starts renewal process 5 days before expiration.\\
__Check certificate every__: __5__ days -> Interval between certificate validity checks.\\
__Update info__: Shows the last time the certificate was checked.\\
__Execute CrushTask/Job after cert renew__: After a successful renewal, runs a [CrushTask] or Job by name. Useful for actions like sending alerts.\\
\\
⚠️__Note:__ After a successful generation, go to __Preferences → Encryption → SSL__ and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.\\
\\
__Submit Button:__ Issues a new certificate or initiates a renewal based on the current configuration.\\
__Test Button:__  Immediately validates the current configuration and attempts a certificate request in staging mode to avoid rate limits. ⚠️ Always use this first to ensure your settings are correct.\\
\\
__Alert__: To receive notifications about failed certificate updates, create a __Plugin Message__ alert under __Preferences → Alerts__.
\\
!!!Troubleshooting
\\
__1.)__	Ensure your __CrushFTP Server__ is accessible over __HTTP (port 80)__ or __HTTPS (port 443)__ for the given __domain__.\\
__2.)__	Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.\\
__3.)__	Re-enter the Keystore Password and Key Password, and test again.\\
\\