Let's Encrypt

2017-12-07 20:08:23
Plesk Version
12.5 and up
Average Rating


Let's Encrypt is a certificate authority (CA) that allows you to create a free SSL certificate for your domains. Let's Encrypt extension for Plesk gives all Plesk users the power to get a free Let's Encrypt certificate with just a couple of clicks. Features: * Working out of the box, no setup or command line operations required * Signing of SSL certificates for domains, subdomains, domain aliases, and webmail * Automatic renewal of all certificates * Securing the Plesk panel itself System requirements: * All supported Linux platforms * Windows 2012 or later Known limitations: * If Plesk 12.5 is secured during the installation, the certificate will not be seen in the list of certificates on this Plesk instance. Indeed, Plesk Panel will be properly secured and the certificate will be updated on time. * Securing webmail subdomains is only available for Plesk 17.0 and later. * Securing subscriptions and domains on creation is only available for Plesk 17.0 and later. * Email notifications are only available for Plesk 17.0 and later.


# 2.5.0 (07 December 2017) * [+] Let's Encrypt extension can now automatically keep all subscription's websites secured. It finds subscription's add-on domains, subdomains, aliases, www, or webmail domains without a certificate, or with a self-signed or expired certificate, and secures them with a free Let's Encrypt certificate. To enable this feature, open the hosting plan or subscription settings, "Additional Services" tab, and select "Keep websites secured with free SSL Certificate" in the list next to "Let's Encrypt". The check runs each hour by default, which can be configured in Tools & Settings > Scheduled Tasks > "Extension letsencrypt" task. * [-] Email address on an IDN domain could not be used to issue a Let's Encrypt certificate for Plesk Panel or a domain. (EXTLETSENC-372, EXTLETSENC-399) * [-] In email notifications, IDN domains were written in punycode. (EXTLETSENC-389) * [-] IDN domain used for Plesk Panel could not be secured. (EXTLETSENC-371) * [-] When automatically renewing a certificate, the extension attempted and failed challenges on disabled domain aliases, included in the current certificate. This resulted in excessive email notifications. Now the extension detects such domain aliases and does not attempt challenges on them. (EXTLETSENC-391) * [-] The extension attempted to automatically renew certificates for suspended and disabled domains, which failed and caused excessive email notifications. (EXTLETSENC-375, EXTLETSENC-387) * [-] Domains without SSL/TLS support had the Let's Encrypt button, allowing users to issue certificates, which could not be used afterwards. (EXTLETSENC-127) * [-] Disabled domain aliases had the Let's Encrypt button, allowing users to attempt to issue a certificate. (EXTLETSENC-397) * [-] Securing Plesk Panel with CLI command did not complete: the certificate was issued and saved to server storage, but was not applied. (EXTLETSENC-374) # 2.4.0 (16 October 2017) * [+] The customers are now notified by email about automatic certificate renewal, both successful and failed. This behaviour can be configured in Tools & Settings – Notifications. * [*] In error reports, technical details are now grouped together in a collapsed text block. * [*] The certificate used for securing mail service will now be renewed and applied automatically. Several issues with renewing certificates were fixed. * [*] On Windows servers, domain certificates used for securing Plesk Panel are now actually renewed instead of removing old certificate and issuing a new one. (Only for Plesk 17.8 and later.) * [-] When creating a subscription or domain with an internationalized domain name, automatic installation of a Let's Encrypt certificate failed. (EXTLETSENC-329) * [-] If Let's Encrypt Authority rejects the request with "Policy forbids issuing for name", the error message now provides relevant information and a reference link. (EXTLETSENC-202) * [-] The certificate used for securing Plesk Panel was not shown in the certificate repository. (EXTLETSENC-187) * [-] Under certain circumstances, the certificate for Plesk Panel was not renewed upon updating the Let's Encrypt extension from versions earlier than 2.0. (EXTLETSENC-322) * [-] When issuing a certificate for a webmail addon domain, if an error occurred, the error message did not provide a relevant explanation. (EXTLETSENC-321) * [-] On Windows servers, symbolic links to certificates were created with extra `\` symbols, which prevented opening them with some applications, for example with `notepad.exe`. (EXTLETSENC-315) # 2.3.0 (31 August 2017) * [+] When creating a subscription, add-on domain, or subdomain, it can be immediately secured with a Let's Encrypt certificate. The corresponding checkbox on the subscription or domain creation page is not selected by default. To make it selected by default, add the following setting in the `panel.ini`: [ext-letsencrypt] secure-new-domain = true * [*] The Let's Encrypt extension now explains common errors that can happen when issuing a certificate and gives instructions on resolving them. * [-] When using Let's Encrypt CLI for issuing a certificate, the alternative domain names, passed as command parameters, were not included in the cerfificate. (EXTLETSENC-104) * [-] An error message was shown when the extension could not clean up certain temporary files after issuing a certificate. Now a warning message is shown instead. (EXTLETSENC-106) * [-] Under certain circumstances, on Plesk 12.5 servers, issuing a certificate on a subscription with incorrect DNS configuration resulted in a 'PHP fatal error'. (EXTLETSENC-256) * [-] Under certain circumstances, if the web server restarted during the process of renewing a certificate, it could not access the certificate file, which resulted in failure to restart. (EXTLETSENC-213) * [-] Under certain circumstances, on Plesk 12.5 servers, a certificate renewal task failed with 'DEBUGGER DETECTED' message. (EXTLETSENC-255) * [-] The symbolic links to issued certificates were created with Unix-style path separator, which resulted in them being unreadable. (EXTLETSENC-235) # 2.2.2 (20 July 2017) * [*] To prevent Let's Encrypt extension from automatically securing Plesk Panel on installation, add the following setting in `panel.ini` before installing or updating the extension: [ext-letsencrypt] disable-panel-auto-securing = false * [-] In certain cases, when installing or upgrading the extension, a valid certificate used for securing Plesk Panel was detected as insecure and replaced with Let's Encrypt certificate. (EXTLETSENC-222) * [-] Setting the `verify` option to `true` in panel.ini config section for Let's Encrypt extension resulted in inability to connect to the Let's Encrypt CA servers. (EXTLETSENC-223) * [-] The command line interface did not allow to issue certificates for domains with `www` prefix. (EXTLETSENC-226) # 2.2.1 (12 July 2017) * [-] The extension incorrectly handled errors in communicating with Plesk Panel, which disrupted the functioning of extension itself. Now it correctly handles such errors, shows an explaining message and continues working when possible. (EXTLETSENC-221) # 2.2.0 (11 July 2017) * [!] This update contains changes, affecting both Let's Encrypt and Security Advisor extensions. Please also update Security Advisor to version 1.4.1 or later. * [+] Plesk Panel can now be secured with a Let's Encrypt certificate. The corresponding setting is now available at the SSL/TLS Certificates page. * [+] Upon installing or upgrading (either at Plesk installation or separately), the extension checks that a trusted certificate is used for Plesk Panel. If the extension detects a non-trusted (for example, self-signed) certificate, it automatically attempts to replace it with a trusted certificate from Let's Encrypt CA. Thus, in most cases, a fresh installation of Plesk Panel is secured since the first login. * [*] The extension now detects and renews Let's Encrypt certificates, obtained with Security Advisor for securing Plesk Panel. * [*] Renewing the Let's Encrypt certificates is now done at a random time within the day when the certificate is due to renewal. This helps evenly spreading the load on Let's Encrypt Certificate Authority and enables issuing more free certificates. * [-] Cases, when IPv6 was disabled for a subscription but an external DNS resolved the domain name to an IPv6 address, were not detected. This resulted in failing attempts to create a certificate. Now Plesk correctly detects such cases and shows a message, explaining the problem. (EXTLETSENC-182) * [-] The extension was not able to renew certificates, issued before updating the extension to version 2.0 for domain names with uppercase letters. (EXTLETSENC-211) * [-] The subscription's certificate README file was missing a link to the Certbot documentation. (EXTLETSENC-166) * [-] A failed certificate installation led to exhausting the Let's Encrypt rate limits for a domain, which resulted in inability to renew the certificate. (EXTLETSENC-198) * [-] On Windows servers, Renewing certificate for webmail.<domain.tld> failed. (EXTLETSENC-164) # 2.1.0 (18 May 2017) * [+] It is possible to include webmail to Let's Encrypt certificate request and secure both the domain and webmail with this certificate. * [*] Let's Encrypt custom settings can be configured via the `panel.ini` file. * [-] After a certificate for a subdomain had been issued, it was impossible to renew the certificate for the parent domain. (EXTLETSENC-105) # 2.0.3 (13 April 2017) * [*] The extension now logs its communication with the Let's Encrypt servers in the "panel.log". This enables better troubleshooting when there are some issues with requesting a certificate. # 2.0.2 (06 April 2017) * [*] Before requesting a certificate for multiple domain names, the extension verifies the ownership of each domain name included in the request. If a domain name passes the verification but its "www" counterpart fails it, the latter is excluded from the certificate signing request. After verification is finished, a warning message listing the excluded domain names is displayed. * [*] For each secured domain, the extension creates a symbolic link to the certificate. When the extension renews the certificate, it updates the link, so that the link always points to the latest certificate. * [-] On Windows 2012 and Windows 2016 servers, renewed certificates were not added to IIS. # 2.0.1 (28 March 2017) * [-] Let's Encrypt certificates could not be issued if no list of trusted root CAs could be found on the server. (EXTLETSENC-82) # 2.0.0 (27 March 2017) * [+] Domain aliases support added * [+] IDN domains support * [*] Granular and reliable renew process: the extension now performs a daily check for certificates which are about to expire and renews them not earlier than 30 days before their expiration * [*] Replaced Python-based certbot with PHP-based client * [-] Fixed installation issues with python dependencies when 3rd-parties upgrade breaks compatibility * [-] Fixed python-related issues (virtualenv and so on) on Windows # 1.9 (8 October 2016) * [+] Ubuntu 16 support added * [-] Fixed dist-upgrade issue on debian/ubuntu OSes # 1.8 (15 September 2016) * [*] Upgrade on Windows recreates virtualenv * [-] Fixed issues after upgrade Plesk to Onyx # 1.7 (26 August 2016) * [-] ConnectionError on Windows 2012 (issue #103) * [*] Update certificate with new API in Onyx * [*] Use certbot packages instead of letsencrypt * [+] Update subscriber agreement * [+] Hide disabled webspaces from the domains list # 1.6 (6 June 2016) * [*] Switch from system python to plesk-py27 on all unix OSes (issues #59, #68, #70) # 1.5 (4 March 2016) * [+] Windows support (2012 and above, Plesk 12.5 MU#24 is required) * [+] Translation added (ar, cs-CZ, da-DK, de-DE, el-GR, es-ES, fi-FI, fr-FR, he-IL, hu-HU, id-ID, it-IT, ja-JP, ko-KR, ms-MY, nb-NO, nl-NL, pl-PL, pt-BR, pt-PT, ro-RO, ru-RU, sv-SE, th-TH, tl-PH, tr-TR, uk-UA, vi-VN, zh-CN, zh-TW) * [-] Always put .htaccess in the challenges folder (issues #63 and #82) # 1.4 (19 February 2016) * [-] Fixed certificates renew task broken in 1.3 (issue #77) # 1.3 (15 February 2016) * [+] Debian 6 is now supported * [+] Extension now ignores unsupported domains: * Inactive (disabled/suspended) domains * Wildcard subdomains * Domains without web hosting * IDN domains * [+] Users can now secure Plesk with www. prefix in hostname (issue #11) * [+] Store CLI options for certificate renewal (issue #46) * [+] Disable rewrite rules and satisfy authentication (with `.htaccess` file) in challenges directory (issues #13 and #16) * [-] No more conflicts with alt-python-virtualenv on CloudLinux * [-] Fixed PHP Warning: Invalid argument supplied for foreach * [-] ExpatError in case Plesk port 8443 is customized (issue #30). Thanks to @MatrixCrawler * [-] Disable HTTPS warnings: localhost is always trusted # 1.2 (23 December 2015) * [+] Ability to use the certificate for Plesk (issue #11) * [+] CLI to use the certificate for Plesk: `--letsencrypt-plesk:plesk-secure-panel` (issue #11) * [+] Add note about monthly certificate renewal * [-] Fixed duplicate renew tasks if the original was changed # 1.1 (14 December 2015) * [+] Ability to include www.domain.tld as an alternative domain name (issue #4) * [-] Save the previously used e-mail address (issue #17) # 1.0 (4 December 2015) * [*] Install binary dependencies from wheels (gcc is not required) * [+] List of hosted domains and subdomains * [+] Button under each domain on Websites&Domains * [+] Submit e-mail and automatically install the certificate on the domain * [+] Monthly task renews certificates issued by Let's Encrypt (according to the name of the certificate) * [*] Retrieve info about hosted domains through Plesk API * [+] Install certificates in Plesk * [+] Treat www.domain.tld as an alias of domain.tld