This is an old revision of the document!
Be aware that this documentation is for the last available version. If you use an older version, you must refer to the README.md file inside the plugin archive.
Provides free SSL certificates through the Let's Encrypt CA.
You can install these packages by executing the following commands:
# apt-get update
# apt-get install -y ca-certificates git libarray-diff-perl libconvert-asn1-perl libdatetime-format-strptime-perl
Note that the installation can take up several minutes.
When deactivating or uninstalling the plugin, the existents SSL certificate lineages are not removed. Also, the database entries that belong to customer SSL certificates are keep in place. This means that any SSL certificate already issued will still be usable by the customer.
According to the previous sentence, It must be noted that the current actions for SSL certificates that are displayed in the interface, at customer and administrator levels, do not predict the action that will actually take place. The real action to be performed will be automagically determined by the plugin at run time, by checking the state of the SSL certificate. In other words, the plugin is smart enough to not perform new SSL certificate issuance or renewal when that is not necessary.
You should avoid execute the Certbot
client manually, or even through your own scripts, without knowing what your are
doing. If you really want execute the Certbot
client manually, you should at least reuse the email that is used by
this plugin. You can find the email address in the /etc/imscp/imscp.conf
file (DEFAULT_ADMIN_ADDRESS parameter).
Be aware that not support will be given if following a manual invocation of the Certbot client, one or many of your SSL certificate lineages are in inconsistent states.
It is possible to use latest released version or development version of the Certbot client by changing the value of the
certbot_version
configuration parameter in the plugin configuration file. Be aware that usage of the development
version is discouraged in production environments.
The plugin automatically process your Let's Encrypt account registration, using the administrator email address that you have provided during i-MSCP setup phase. If you need change that email after while, you must not forget to run the following command to update your Let's Encrypt account:
certbot-auto register --update-registration --email <new_email>
where <new_email>
is your new email address.
If you don't do so, a new account will be created using the new email address and there will be inconsistencies with SSL certificate lineages, making the plugin unable to work properly.
Be sure to read https://letsencrypt.org/docs/rate-limits
Note that when the Let's Encrypt limits are reached, the plugin will automatically set the status of the SSL certificate
to pending
. The pending tasks are postponed as long as the limits are not released.
To enable Let's Encrypt for the control panel and/or services you must in order:
self-signed
SSL certificate optionThe link for accessing the administrator's Let's Encrypt interface is available in the System tools
section.
If you use the PanelRedirect
plugin, you must ensure that you have a version greater or equal to 1.1.5
, else, the
domain validations will fail.
You can enable support for alternative URLs by setting the include_altnames
configuration parameter totrue
in the
plugin configuration file. Once done, don't forget to trigger a plugin list update.
Be aware that this parameters acts only for new SSL certificate issuances.
Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate
issuance for which a SAN is added for an alternative URL will possibly hits the Certificate per Registered Domain
limit (20 per week) for the control panel domain. This explain why this feature is turned off by default.
Note that alternative URLs as provided by i-MSCP are meant to allow the customers to access their domains for DNS propagation time. These URLs should not be exposed publicly.
You can translate this plugin using a gettext translation editor such as Poedit
. Translation files are located under
the ./l10n
directory, inside of the plugin archive. Once translated you can send us your translation file (po file)
for integration in future release.
Note that if no translation file exists for your localization in the ./l10n/po
directory, you must create it first
from the l10n/LetsEncrypt.pot
file. Be aware that your file must be UTF-8
, else, it won't be accepted.
i-MSCP LetsEncrypt plugin
@author Laurent Declercq <[email protected]>
@copyright (C) 2016-2017 Laurent Declercq <[email protected]>
@license i-MSCP License <https://www.i-mscp.net/license-agreement.html>
See the LICENSE file inside the archive for further details.
The development of this plugin has been sponsored by: