Let’s Encrypt on Plesk: Your key to a free SSL certificate

The web is an endless battleground. The good guys are always trying to keep the bad guys from hacking, ransoming, and conning their way into our online lives. Our best weapon? Encryption. The web works on trust, and thanks to encryption, HTTPS provides exactly that. But if a website is going to use it, it first needs to get free ssl certificate from a Certificate Authority (CA). Such as Let’s Encrypt.

Let’s Encrypt – What is it?

Let’s Encrypt will only issue the file if you can exhibit control over your domain. And you can do that by using a software client that uses ACME (Automatic Certificate Management Environment) protocol. Having the free SSL certificate means your communications get end-to-end encryption.

So, when files pass between your web server and its users, they become unreadable to anyone who intercepts them. And moreover, nobody can tamper with them.

The Electronic Frontier Foundation developed Certbot, which has now become the best known and most widely used ACME client on the block. Certbot verifies the domain’s ownership, fetches certificates, and takes care of TLS/SSL configuration on web servers using Nginx and Apache.

What does a Certificate Authority do?

Certificate Authorities (CAs) vouch for the authenticity of a TLS/SSL certificate when they validate them using cryptography. Operating systems and browsers use a directory of trusted CAs to make sure that site certificates are bona fide.

This kind of authentication was something we had to pay for in the past. But now, Let’s Encrypt has broken tradition to offer automated creation of each free SSL certificate for the end user. The whole thing runs with funding from sponsors and donors.

How Let’s Encrypt does its thing

The ACME protocol that Let’s Encrypt uses talks about how clients interact with its servers when asking for certificates and confirming domain ownership. Some point soon, it’ll be recognized as an official IETF standard.

Let’s Encrypt for HTTPS

Let’s Encrypt provides domain-validated free SSL certificates. This means that after a request for a free https certificate, Let’s Encrypt makes sure that it’s from someone who is truly in charge of that domain. It sends the client a one-of-a-kind token that it uses to create a key. The domain owner then needs to provide this via Web or DNS.

Let’s Encrypt for HTTP

In the case of HTTP, the process is a bit different. The client manufactures the key using the unique token and also an account token. Then the result goes in a file that the web server makes available. And the Let’s Encrypt servers get the file from this address. If the key matches, the client has established domain control, and they get a free SSL certificate.

The ACME protocol can outline a number of tests that a client can use to verify ownership of a domain. For HTTPS that approach resembles that for HTTP, but the client creates a certificate that is self-signed that includes the key. The DNS challenge searches a DNS TXT record for the key.

Let’s Encrypt Certbot Client

Certbot is by far the most widely used Let’s Encrypt client. It bundles up most main Linux distributions and is able to automatically configure for both Apache and Nginx. After it finishes installing, you can get free ssl certificate and update your Apache configuration as below.

sudo certbot –apache -d www.example.com

Certbot will ask some questions, run a challenge, download certificates, update your Apache configuration, and reload the server.

Certbot and Let's Encrypt on PleskAfter this, when you browse to https://www.example.com you will see a green lock which confirms both a valid certificate and an encrypted connection.

Each Let’s Encrypt free ssl certificate lasts for only 90 days, so you need to make sure that you set it to renew automatically.

This command will take care of renewing all a machine’s certificates: sudo certbot renew

If you type this command into a crontab so it runs every day, your certificates will always be renewed 30 days before expiration is due. And Certbot will reload the server after a successful renewal. So long as the initial creation of the certificate includes the –apache or –NGINX options.

More Let’s Encrypt-ACME Clients you should know of

The ACME protocol is open in nature and its documentation is very comprehensive, which has encouraged many other clients to develop.

You can find an up-to-date list of ACME clients here.

Certbot is one of the few clients to offer automatic web server configuration,  but the others do provide features that may be of interest.

  1. If you want to avoid Python and other Certbot dependencies, (perhaps because you want to create certificates in a constrained environment) you can pick one in languages like Go, and Node.js.
  2. Some clients are able to run without root privileges. Which is good. Because we consider running the smallest amount of privileged code good practice.
  3. Lots of clients are able to produce the DNS-based challenge automatically. They do this using the API of your DNS provider to create the relevant TXT record. This challenge also allows for harder to handle cases like encryption of web servers that are only accessible privately.
  4. You will find some clients integrated into web servers, reverse proxies, or load balancers. This makes configuration and deployment a breeze.

Lots of other clients can be used, and lots of other servers and services automate TLS/SSL setup thanks to Let’s Encrypt support.

How to make and update Let’s Encrypt free SSL certificates with Plesk

Plesk has a plugin that lets you handle Let’s Encrypt free SSL certificates.

To work with a Let’s Encrypt SSL certificate the domain name must work in a web browser, regardless of whether or not it has any content. The process only works for a valid domain.

Here is how to get a Let’s Encrypt free SSL certificate for your domain:

  1. Log in to Plesk.
  2. On the (left) sidebar, click Websites & Domains
  3. Click on the Let’s Encrypt symbol to pull up the Let’s Encrypt SSL Certificate page.
  4. Type a valid e-mail address in the box.
  5. Select the “Include www.(example.com)” as an alternate domain name check box. So that the SSL certificate protects your domain with and without the www prefix.

5.1. Failure to check the box will mean that the certificate only relates to example.com. If you select the checkbox, it will be valid for www as well.

5.2. Click Install. When installation finishes successfully you will get a confirmation message.

5.3. If it doesn’t work, check that the domain name is valid. Also, check that the domain is:

  • spelled right
  • registered
  • has proper DNS records
  • accessible in the web

When you create or add a domain to the server, be sure to add the relevant DNS records (with, an A record pointing to the server IP address as a minimum), and allow adequate time for the DNS changes to be disseminated.

6. In the left sidebar, click on Websites and Domains
7. Click Hosting Settings.
8. Under Security, select the SSL support check box, and the Let’s Encrypt SSL certificate in the Certificate list box.

Plesk renews Let’s Encrypt certificates automatically

So you don’t need to do anything. Let’s Encrypt free SSL certificates are valid for 90 days by default. But Plesk renews certificates every month automatically, which is what the Let’s Encrypt developers recommend.

Doing this sooner enhances your site’s security, and it’s clear to you and the visitors to your site. Also, this gives you extra time to find a solution if a renewal doesn’t go through for whatever reason.

Manually renewing an SSL certificate in Plesk

You can also manually renew a certificate if you:

  1. Log in to Plesk.
  2. In the left sidebar, click Websites & Domains
  3. Click the Let’s Encrypt icon and select “Renew”.

2 Comments

  1. Hi Elvis,

    for some reason my plesk doesn’t renew the certificate after 30 days with let’s encrypt.
    There is a task that run every 50 minutes (created automatically by let’s encrypt)

    /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php ‘/usr/local/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php’

    it’s true that that domain wasn’t on that server the 30th day but on another server with different IP but even now that is on the correct server is not renewed.

Add a Comment

Your email address will not be published. Required fields are marked *

GET LATEST NEWS AND TIPS

  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base