This is version 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 . It is not the current version, and thus it cannot be edited.
[Back to current version]   [Restore this version]

LetsEncrypt plugin#

About Let’s Encrypt: It is a certificate authority that provides domain-validated certificates for free. (For more info: https://letsencrypt.org/how-it-works/)

The LetsEncrypt plugin allows you to create a Java Keystore file (.jks) that is authorized by the Let’s Encrypt certificate authority. You do not need to install, configure, or use certbot if you are using this plugin.




Server Instance: To generate a certificate for a DMZ instance, specify the DMZ server instance name. Let’s Encrypt will challenge that server instance. Leave it empty for the default/main instance.

Challenge Type: Available only with ACME v2.
• http-01 -> This is an HTTP-based challenge and requires CrushFTP to have an HTTP Server item accessible externally on port 80. Make sure HTTPS redirect is disabled. (ACME v1 only supports HTTP-based challenges.)
• tls_alpn -> (Only works with Java 11 or higher) This is a TLS-based challenge and requires CrushFTP to have an HTTPS Server item accessible externally on port 443.

Domains: Multiple domains should be separated with commas.

Keystore: Set the location for the .jks file by selecting a valid directory and appending a filename for the keystore.
NOTE: The filename must end in .jks.

Staging Flag: This enables test mode. When true, it only generates a dummy keystore (.jks), not a valid certificate.

Once all fields are completed, click Submit. The keystore will be created at the specified path.

After a successful generation, go to Preferences → Encryption → SSL and enter the same full path to the .jks file, along with the passwords you specified in the Let’s Encrypt plugin. The plugin only generates the keystore — it does not apply it automatically.

After saving the SSL settings, restart the HTTPS port or the CrushFTP service to load the new certificate. You can then test access using a browser.
You will need to click Submit and restart the service every 60–90 days, as Let’s Encrypt certificates are only valid for that duration.

Update the certificate automatically: This setting enables automatic certificate renewal and restarts the HTTPS Server Item ports. Let’s Encrypt allows only 5–6 attempts per week, so we recommend setting this check to run weekly.
Alert: To receive notifications about failed certificate updates, create a “Plugin Message” alert under Preferences → Alerts.

Troubleshooting#

0. Download and replace the plugin — Let’s Encrypt occasionally changes its API.
1. Ensure your server is accessible over HTTP (port 80) or HTTPS (port 443) for the given domain.
2. Verify that the Staging flag is set correctly (for testing). Try checking the options to Delete account key pair and Delete domain key pair, then run the test again.
3. Re-enter the Keystore Password and Key Password, and test again.