This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
plugins:letsencrypt [2016/11/23 16:26] nuxwin [LetsEncrypt Plugin] |
plugins:letsencrypt [2016/11/23 16:30] nuxwin [Warning regarding this feature] |
||
---|---|---|---|
Line 2: | Line 2: | ||
<WRAP center round important 60%> | <WRAP center round important 60%> | ||
- | **Be aware that this documentation is always reffering to the latest LetsEncrypt plugin version.** | + | **Be aware that this documentation is always referring to the latest LetsEncrypt plugin version.** |
</WRAP> | </WRAP> | ||
Line 20: | Line 20: | ||
You can install these packages by executing the following commands: | You can install these packages by executing the following commands: | ||
- | <konsole root> | + | # apt-get update |
- | apt-get update | + | # apt-get install -y libarray-diff-perl libconvert-asn1-perl libdatetime-format-strptime-perl |
- | apt-get install -y libarray-diff-perl libconvert-asn1-perl libdatetime-format-strptime-perl | + | |
- | </konsole> | + | |
===== Installation ===== | ===== Installation ===== | ||
Line 47: | Line 45: | ||
===== Manual execution of the certbot client ===== | ===== Manual execution of the certbot client ===== | ||
- | You should avoid execute the `Certbot` client manually, or even through your own scripts, without knowing what your are doing. If you really want execute the `Certbot` client manually, you should at least reuse the email that is used by this plugin. You can find the email address in the /etc/imscp/imscp.conf file (DEFAULT_ADMIN_ADDRESS parameter). | + | You should avoid execute the Certbot client manually, or even through your own scripts, without knowing what your are doing. If you really want execute the `Certbot` client manually, you should at least reuse the email that is used by this plugin. You can find the email address in the /etc/imscp/imscp.conf file (DEFAULT_ADMIN_ADDRESS parameter). |
Be aware that not support will be given if following a manual invocation of the Certbot client, one or many of your SSL lineages are in inconsistent states. | Be aware that not support will be given if following a manual invocation of the Certbot client, one or many of your SSL lineages are in inconsistent states. | ||
Line 53: | Line 51: | ||
===== Certbot client version ===== | ===== Certbot client version ===== | ||
- | It is possible to use latest released version or development version of the Certbot client by changing the value of the `certbot_version` configuration parameter in the plugin configuration file. Be aware that usage of the development version is discouraged in production environments. | + | It is possible to use latest released version or development version of the Certbot client by changing the value of the **certbot_version** configuration parameter in the plugin configuration file. Be aware that usage of the development version is discouraged in production environments. |
===== Let's Encrypt registration ===== | ===== Let's Encrypt registration ===== | ||
Line 59: | Line 57: | ||
The plugin automatically process your Let's Encrypt account registration, using the administrator email address that you have provided during i-MSCP setup phase. If you need change that email, you must not forget to run the following command to update your Let's Encrypt account: | The plugin automatically process your Let's Encrypt account registration, using the administrator email address that you have provided during i-MSCP setup phase. If you need change that email, you must not forget to run the following command to update your Let's Encrypt account: | ||
- | <konsole root> | + | # certbot-auto register --update-registration --email <new_email> |
- | certbot-auto register --update-registration --email <new_email> | + | |
- | </konsole> | + | |
- | where `<new_email>` is your new email address. | + | where **<new_email>** is your new email address. |
If you don't do so, a new account will be created using the new email address and there will be inconsistencies with SSL certificate lineages, making the plugin unable to work properly. | If you don't do so, a new account will be created using the new email address and there will be inconsistencies with SSL certificate lineages, making the plugin unable to work properly. | ||
Line 71: | Line 67: | ||
Be sure to read https://letsencrypt.org/docs/rate-limits | Be sure to read https://letsencrypt.org/docs/rate-limits | ||
- | Note that when the Let's Encrypt limits are reached, the plugin will automatically set the status of the SSL certificate to `pending`. The pending tasks are postponed as long as the limits are not released. | + | Note that when the Let's Encrypt limits are reached, the plugin will automatically set the status of the SSL certificate to **pending**. The pending tasks are postponed as long as the limits are not released. |
===== Let's Encrypt SSL certificates for the control panel and services (FTP, IMAP/POP and SMTP) ===== | ===== Let's Encrypt SSL certificates for the control panel and services (FTP, IMAP/POP and SMTP) ===== | ||
Line 93: | Line 89: | ||
===== Note for PanelRedirect plugin users ===== | ===== Note for PanelRedirect plugin users ===== | ||
- | If you use the `PanelRedirect` plugin, you must ensure that you have a version greater or equal to `1.1.5`, else, the domain validations will fail. | + | If you use the PanelRedirect plugin, you must ensure that you have a version greater or equal to **1.1.5**, else, the domain validations will fail. |
===== SANs for alternative URLs ===== | ===== SANs for alternative URLs ===== | ||
Line 103: | Line 99: | ||
==== Warning regarding this feature ==== | ==== Warning regarding this feature ==== | ||
- | Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate issuance for which a SAN is added for an alternative URL will hits the `Certificate per Registered Domain` limit (20 per week) for the control panel domain. This explain why this feature is turned off by default. | + | Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate issuance for which a SAN is added for an alternative URL will hits the **Per Registered Domain limit** (20 per week) for the control panel domain. This explain why this feature is turned off by default. |
Note that alternative URLs as provided by i-MSCP are meant to allow the customers to access their domains for DNS propagation time. These URLs should not be exposed publicly. | Note that alternative URLs as provided by i-MSCP are meant to allow the customers to access their domains for DNS propagation time. These URLs should not be exposed publicly. |