plugins:letsencrypt
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
plugins:letsencrypt [2016/05/14 17:14] theemstra Configuration added |
plugins:letsencrypt [2016/11/23 16:29] nuxwin [Note for PanelRedirect plugin users] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ======Let's Encrypt Plugin Documentation====== | + | ====== LetsEncrypt Plugin ====== |
| - | This plugin allows the generation and regeneration of Let's Encrypt certificates for use in i-MSCP. | + | <WRAP center round important 60%> |
| + | **Be aware that this documentation is always referring to the latest LetsEncrypt plugin version.** | ||
| + | </WRAP> | ||
| - | This is a paid plugin, so it's not available for free like many other plugins. | + | ===== Introduction ===== |
| + | This plugin provides free SSL certificates through the Let's Encrypt CA. | ||
| ===== Requirements ===== | ===== Requirements ===== | ||
| - | * i-MSCP versions 1.3.x | + | * i-MSCP Serie 1.3.x (version >= 1.3.1 - Plugin API 1.0.5) |
| - | ===== Installation ===== | + | ==== Debian / Ubuntu packages ==== |
| - | **1. Get the latest plugin version from Plugin Store** | + | * libarray-diff-perl |
| + | * libconvert-asn1-perl | ||
| + | * libdatetime-format-strptime-perl | ||
| - | http://i-mscp.net/filebase/index.php/Filebase/ | + | You can install these packages by executing the following commands: |
| - | + | ||
| - | **2. Plugin upload and installation** | + | |
| - | * Login into the panel as admin and go to the plugin management interface | + | # apt-get update |
| - | * Upload the plugin archive | + | # apt-get install -y libarray-diff-perl libconvert-asn1-perl libdatetime-format-strptime-perl |
| - | * Install the plugin | + | |
| + | ===== Installation ===== | ||
| + | - Be sure that all requirements as stated in the requirements section are met | ||
| + | - Upload the plugin through the plugin management interface | ||
| + | - Install the plugin through the plugin management interface | ||
| + | |||
| + | Note that depending on your network connection and processor capacity, the installation can take up several minutes. | ||
| ===== Update ===== | ===== Update ===== | ||
| - | **1. Get the plugin from Plugin Store** | + | - Be sure to read the update notes in the UPDATE.md file |
| + | - Be sure that all requirements as stated in the requirements section are met | ||
| + | - Upload the plugin through the plugin management interface | ||
| + | - Update the plugin list through the plugin management interface | ||
| + | |||
| + | ===== Plugin deactivation/uninstallation ===== | ||
| + | |||
| + | When deactivating, or when uninstalling the plugin, the existents SSL certificate lineages are not removed. Also the database entries that belong to customer SSL certificates are keep in place. This means that any SSL certificate already issued will still be usable by the customer, even if the plugin has been deactivated or uninstalled. | ||
| + | |||
| + | According to the previous sentence, It must be noted that the current actions for SSL certificates that are displayed in the interface, at customer and administrator levels, do not predict the action that will actually take place. The real action to be performed will be automagically determined by the plugin at run time (backend side), by checking the state of the SSL certificate. In other words, the plugin is smart enough to not perform new SSL certificate issuance or renewal when that is not necessary. | ||
| + | |||
| + | ===== Manual execution of the certbot client ===== | ||
| + | |||
| + | You should avoid execute the Certbot client manually, or even through your own scripts, without knowing what your are doing. If you really want execute the `Certbot` client manually, you should at least reuse the email that is used by this plugin. You can find the email address in the /etc/imscp/imscp.conf file (DEFAULT_ADMIN_ADDRESS parameter). | ||
| + | |||
| + | Be aware that not support will be given if following a manual invocation of the Certbot client, one or many of your SSL lineages are in inconsistent states. | ||
| + | |||
| + | ===== Certbot client version ===== | ||
| + | |||
| + | It is possible to use latest released version or development version of the Certbot client by changing the value of the **certbot_version** configuration parameter in the plugin configuration file. Be aware that usage of the development version is discouraged in production environments. | ||
| + | |||
| + | ===== Let's Encrypt registration ===== | ||
| + | |||
| + | The plugin automatically process your Let's Encrypt account registration, using the administrator email address that you have provided during i-MSCP setup phase. If you need change that email, you must not forget to run the following command to update your Let's Encrypt account: | ||
| + | |||
| + | # certbot-auto register --update-registration --email <new_email> | ||
| + | |||
| + | where **<new_email>** is your new email address. | ||
| + | |||
| + | If you don't do so, a new account will be created using the new email address and there will be inconsistencies with SSL certificate lineages, making the plugin unable to work properly. | ||
| + | |||
| + | ===== Let's Encrypt Rate Limits ===== | ||
| + | |||
| + | Be sure to read https://letsencrypt.org/docs/rate-limits | ||
| + | |||
| + | Note that when the Let's Encrypt limits are reached, the plugin will automatically set the status of the SSL certificate to **pending**. The pending tasks are postponed as long as the limits are not released. | ||
| + | |||
| + | ===== Let's Encrypt SSL certificates for the control panel and services (FTP, IMAP/POP and SMTP) ===== | ||
| + | |||
| + | To enable Let's Encrypt for the control panel and/or services you must in order: | ||
| + | |||
| + | - Enable SSL on i-MSCP side for the control panel and/or services, by choosing the `self-signed` SSL certificate option | ||
| + | - Connect as administrator to the control panel | ||
| + | - Activate Let's Encrypt for the control panel and/or services through the administrator's Let's Encrypt interface. | ||
| + | |||
| + | The link for accessing the administrator's Let's Encrypt interface is available in the system tools page. | ||
| + | |||
| + | Note that it is important to not disable this plugin when updating or reconfiguring i-MSCP because there is an event listener that replace the default SSL certificates by the Let's Encrypt SSL certificates. If the LetsEncrypt plugin is disabled, the event listener won't be registered and so, the SSL certificates won't be replaced. | ||
| + | |||
| + | Be aware that this feature is still experimental. | ||
| + | |||
| + | ==== Regarding SSL certificate for the control panel ==== | ||
| + | |||
| + | Note that after enabling Let's Encrypt for the control panel, you may have to close and re-open your browser. Indeed, in some cases, the newly created SSL certificate is not loaded after a simple page refresh. | ||
| + | |||
| + | ===== Note for PanelRedirect plugin users ===== | ||
| + | |||
| + | If you use the PanelRedirect plugin, you must ensure that you have a version greater or equal to **1.1.5**, else, the domain validations will fail. | ||
| + | |||
| + | ===== SANs for alternative URLs ===== | ||
| + | |||
| + | You can enable support for alternative URLs by setting the `include_altnames` configuration parameter to`true` in the plugin configuration file. Once done, don't forget to trigger a plugin list update. | ||
| + | |||
| + | Be aware that this parameters acts only for new SSL certificate issuances. | ||
| + | |||
| + | ==== Warning regarding this feature ==== | ||
| + | |||
| + | Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate issuance for which a SAN is added for an alternative URL will hits the `Certificate per Registered Domain` limit (20 per week) for the control panel domain. This explain why this feature is turned off by default. | ||
| + | |||
| + | Note that alternative URLs as provided by i-MSCP are meant to allow the customers to access their domains for DNS propagation time. These URLs should not be exposed publicly. | ||
| + | |||
| + | ===== Plugin translation ===== | ||
| + | |||
| + | You can translate this plugin using a gettext translation editor such as poedit. Translation files are located under the ./l10n directory, inside of this plugin archive. Once translated you can send us your translation file (po file) for integration in future release. | ||
| + | |||
| + | Note that if no translation file exists for your localization in the ./l10n/po directory, you must create it first from the l10n/LetsEncrypt.pot file. Be aware that your file must be UTF-8, else, it won't be accepted. | ||
| + | |||
| + | ===== License ===== | ||
| - | http://i-mscp.net/filebase/index.php/Filebase/ | + | i-MSCP LetsEncrypt plugin |
| + | |||
| + | @author Laurent Declercq <[email protected]> | ||
| + | @author Ninos Ego <[email protected]> | ||
| + | @copyright (C) 2016 Laurent Declercq <[email protected]> | ||
| + | @copyright (C) 2016 Ninos Ego <[email protected]> | ||
| + | @license i-MSCP License <https://www.i-mscp.net/license-agreement.html> | ||
| - | **2. Backup your current plugin config** | + | See the LICENSE file inside the archive for further details. |
| - | # plugins/LetsEncrypt/config.php | + | ===== Sponsors ===== |
| - | + | ||
| - | **3. Plugin upload and update** | + | |
| - | * Login into the panel as admin and go to the plugin management interface | + | The development of this plugin has been sponsored by: |
| - | * Upload the new plugin archive | + | |
| - | * Update the plugin list | + | |
| - | ===== Configuration ===== | + | [IP-Projects GmbH & Co. KG](https://www.ip-projects.de/ "IP-Projects GmbH & Co. KG") |
| - | You can configure this plugin to your needs. | + | ===== Authors ===== |
| - | Check out the config.php in the plugin archive. | + | |
| - | Configuration values include: | + | * Laurent Declercq <l.declercq@nuxwin.com> |
| - | **1. Command (and location) of the letsencrypt client | + | * Ninos Ego <me@ninosego.de> |
| - | **2. Period before expiration, certificates will be renewed (default: 30 days before) | + | |
| - | **3. Waiting time for retry if certificate status is pending (default: 1 hour) | + | |
| - | **4. Path to created certificates | + | |
| - | **5. Additional command line options passed-in to letsencrypt while creating certificate | + | |
| - | **6. Additional command line options passed-in to letsencrypt while revoking certificate | + | |
| - | **7. Cronjob for renewing certificates (default: run once per day) | + | |
/var/www/virtual/i-mscp.net/wiki/htdocs/data/pages/plugins/letsencrypt.txt · Last modified: 2017/09/13 23:39 by nuxwin
