Managing Let’s Encrypt Settings
Plesk Let’s Encrypt extension behavior is governed by a number of settings, for example:
- How far in advance of the expiration date Let’s Encrypt Certificates are renewed.
- Whether the requests to the ACME server are recorded in the Plesk log or not.
- The size of the RSA private key, and so on.
You can change these settings by specifying custom values in the
[ext-letsencrypt]
section of the panel.ini
configuration file. For example, to have Let’s Encrypt renew
certificates 45 days in advance and to change the size of the RSA
private key to 4096 bits, add the following section to the panel.ini
file:
[ext-letsencrypt]
renew-before-expiration = 45
rsa-key-size = 4096
Keeping websites secured with free SSL/TLS certificates from Let’s Encrypt
The Let’s Encrypt extension can automatically keep hosted websites secured with free, trusted SSL/TLS certificates from Let’s Encrypt. This feature can be turned on or off for every individual hosting plan. When you turn this feature on for a hosting plan, for every domain, subdomain, domain alias, or webmail that belongs to a subscription based on that hosting plan and that is:
- Secured with a self-signed SSL/TLS certificate.
- Secured with an expired SSL/TLS certificate.
- Not secured with an SSL/TLS certificate.
The self-signed or expired SSL/TLS certificate is replaced with a Let’s Encrypt certificate.
You can also have the Let’s Encrypt extension replace SSL/TLS
certificates that are not issued by one of the trusted certificate
authorities in addition to self-signed and expired SSL/TLS certificates.
To do so, set the check-domain-cert-authority
setting to true. Read
more about the check-domain-cert-authority
setting in “Let’s Encrypt
settings list”.
To keep websites secured with free SSL/TLS certificates from Let’s Encrypt:
- Go to Service Plans.
- On the “Hosting Plans” tab, either click Add a Plan to create a new plan or click the name of an existing plan to edit it.
- Go to the “Additional Services” tab.
- Under “SSL It!, select “Keep websites secured with free SSL Certificate”.
- Click OK.
Now all domains, subdomains, domain aliases, and webmail that belong to subscriptions based on this hosting plan will be automatically secured with Let’s Encrypt certificates. This change affects both existing and newly created subscriptions.
Alternatively, you can enable the “Keep websites secured with free SSL Certificate” option via the XML API by sending the following request:
<?xml version="1.0" encoding="UTF-8"?>
<packet>
<service-plan>
<add-plan-item>
<filter>
<name>Default Domain</name>
</filter>
<plan-item>
<name>urn:ext:letsencrypt:plan-item-sdk:keep-secured</name>
</plan-item>
</add-plan-item>
</service-plan>
</packet>
Let’s Encrypt settings list
All Let’s Encrypt extension settings that can be specified in
panel.ini
are described below:
Setting | Type | Description | Default value |
---|---|---|---|
rsa-key-size |
integer | The size of the RSA private key, in bits. | 2048 |
user-agent |
string | The User-Agent HTTP header. | Plesk/$PRODUCT_VERSION |
letsencrypt-url |
string | The Let’s Encrypt website URL. | https://letsencrypt.org/ |
terms-url |
string | The Let’s Encrypt Policy and Legal Repository URL. | https://letsencrypt.org/repository/ |
(deprecated) |
integer |
The number of days before expiration when the certificate is scheduled for auto-renewal. The same setting can be used for the SSL It! extension as well. In this case, the setting for SSL It! will have higher priority over the one for Let’s Encrypt. Currently, the setting is still supported but will be deprecated from Let’s Encrypt in the future. |
30 |
config-dir |
string | The path where certificates for third-party integration are stored. | $PRODUCT_ROOT/var/modules/letsencrypt/etc |
verify |
string | The path to the trusted CA Root Certificates bundle. | $PRODUCT_ROOT/admin/plib/modules/letsencrypt/resources/ca/cacert.pem |
disable-cleanup |
boolean | Disable the cleanup of token files after a domain dispute is resolved. | false |
log-requests |
boolean | Log requests to the ACME server in the Plesk log. | false |
secure-new-domain |
boolean | Set the default state of the “Secure the domain with Let’s Encrypt” checkbox shown when creating a new subscription, domain, or subdomain. | false |
letsencrypt-docs-rate-limits-url |
string | The URL to Let’s Encrypt documentation about “Rate Limits”. The link is displayed in the extension’s GUI error messages when Let’s Encrypt rate limits have been exceeded. | https://letsencrypt.org/docs/rate-limits/ |
check-availability-delay |
integer | *The wait time in seconds between attempts to check if a domain is accessible via HTTP. | 5 |
check-availability-max-attempts |
integer | *The maximum number of attempts to check if a domain is accessible via HTTP. | 10 |
check-availability-timeout |
integer | *Timeout in seconds for checking if a domain is accessible via HTTP. If within the time defined by check-availability-timeout, no response code is received, the domain is considered to be unavailable. | 5 |
check-domain-cert-authority |
boolean | When the “Keep websites secured with free SSL Certificate”
option is enabled, if you set this setting to “false”, the
Let’s Encrypt extension only replaces self-signed and expired
SSL/TLS certificates. If you set it to “true”, the extension
also replaces SSL/TLS certificates that are not trusted by any
of the root certificates in the trusted CA Root Certificates
bundle (see the verify setting). |
false |
send-notifications-interval |
date interval | Determines how often the Let’s Encrypt extension can send you notifications (for example, about a domain being secured with a Let’s Encrypt certificate or a Let’s Encrypt certificate being renewed). By default, the extension sends you one notification email per day. This email contains the information about all Let’s Encrypt-related events that occurred since the previous email was sent. To receive a separate email notification about each event right after it occurs, set this setting to now. | 1 day |
use-common-challenge-dir |
Sets usage of the common challenge directory:
/var/www/vhosts/default/.well-known/acme-challenge.
|
true | |
(deprecated) |
Used as a registration email address when SSL/TLS certificates are renewed. Used only when an email address for domain registration was not saved in ModulesSettings and an email address of a domain owner was not registered. Currently, Let’s Encrypt requires an email to issue a certificate. The setting is still supported at the moment but will be deprecated in the future. |
The Administrator email | |
acme-directory-url |
Directory Resource URI. | https://acme-v02.api.letsencrypt.org/directory |
|
acme-protocol-version |
The ACME protocol version. | acme-v02 |
Note: *The Let’s Encrypt extension checks if a domain is accessible via
HTTP each time a new domain is secured because domains can be
unavailable for some time after they are created in Plesk. All
settings starting with check-availability
are applied during this
check.