Managing Let's Encrypt Settings

Plesk Let's Encrypt extension behavior is governed by a number of settings, for example:

How far in advance of the expiration date Let's Encrypt Certificates are renewed.
Whether the requests to the ACME server are recorded in the Plesk log or not.
The size of the RSA private key, and so on.

You can change these settings by specifying custom values in the [ext-letsencrypt] section of the panel.ini configuration file. For example, to have Let's Encrypt renew certificates 45 days in advance and to change the size of the RSA private key to 4096 bits, add the following section to the panel.ini file:

[ext-letsencrypt]

renew-before-expiration = 45

rsa-key-size = 4096

Keeping websites secured with free SSL/TLS certificates from Let’s Encrypt

The Let’s Encrypt extension can automatically keep hosted websites secured with free, trusted SSL/TLS certificates from Let’s Encrypt. This feature can be turned on or off for every individual hosting plan. When you turn this feature on for a hosting plan, for every domain, subdomain, domain alias, or webmail that belongs to a subscription based on that hosting plan and that is:

Secured with a self-signed SSL/TLS certificate.
Secured with an expired SSL/TLS certificate.
Not secured with an SSL/TLS certificate.

the self-signed or expired SSL/TLS certificate is replaced with a Let’s Encrypt certificate.

You can also have the Let’s Encrypt extension replace SSL/TLS certificates that are not issued by one of the trusted certificate authorities in addition to self-signed and expired SSL/TLS certificates. To do so, set the check-domain-cert-authority setting to true. Read more about the check-domain-cert-authority setting in “Let's Encrypt settings list”.

To keep websites secured with free SSL/TLS certificates from Let’s Encrypt:

Go to Service Plans.
On the “Hosting Plans” tab, either click Add a Plan to create a new plan or click the name of an existing plan to edit it.
Go to the “Additional Services” tab.
Under “Let's Encrypt”, select “Keep websites secured with free SSL Certificate”.
Click OK (or Update & Sync if editing an existing plan).

Now all domains, subdomains, domain aliases, and webmail that belong to subscriptions based on this hosting plan will be automatically secured with Let’s Encrypt certificates. This change affects both existing and newly created subscriptions.

Alternatively, you can enable the “Keep websites secured with free SSL Certificate” option via the XML API by sending the following request:

<?xml version="1.0" encoding="UTF-8"?>

<packet>

  <service-plan>

    <add-plan-item>

      <filter>

        <name>Default Domain</name>

      </filter>

      <plan-item>

        <name>urn:ext:letsencrypt:plan-item-sdk:keep-secured</name>

      </plan-item>

    </add-plan-item>

  </service-plan>

</packet>

Let's Encrypt settings list

All Let's Encrypt extension settings that can be specified in panel.ini are described below:

Setting	Type	Description	Default value
`server` (deprecated)	string	The ACME server directory URL. In Let’s Encrypt 2.6.0 and later, the setting is replaced with `acme-directory-url`. Currently, the `server` setting is still supported but will be deprecated in future. Replace the `server` setting with `acme-directory-url`.	`https://acme-v01.api.letsencrypt.org/directory`
`rsa-key-size`	integer	The size of the RSA private key, in bits.	2048
`user-agent`	string	The User-Agent HTTP header.	`Plesk/$PRODUCT_VERSION`
`letsencrypt-url`	string	The Let's Encrypt website URL.	`https://letsencrypt.org/`
`terms-url`	string	The Let's Encrypt Policy and Legal Repository URL.	`https://letsencrypt.org/repository/`
`renew-before-expiration`	integer	The number of days before expiration when the certificate is scheduled for auto-renewal.	30
`config-dir`	string	The path where certificates for third-party integration are stored.	`$PRODUCT_ROOT/var/modules/letsencrypt/etc`
`verify`	string	The path to the trusted CA Root Certificates bundle.	`$PRODUCT_ROOT/admin/plib/modules/letsencrypt/resources/ca/cacert.pem`
`disable-cleanup`	boolean	Disable the cleanup of token files after a domain dispute is resolved.	false
`log-requests`	boolean	Log requests to the ACME server in the Plesk log.	false
`secure-new-domain`	boolean	Set the default state of the "Secure the domain with Let's Encrypt" checkbox shown when creating a new subscription, domain, or subdomain.	false
`letsencrypt-docs-rate-limits-url`	string	The URL to Let's Encrypt documentation about “Rate Limits”. The link is displayed in the extension's GUI error messages when Let's Encrypt rate limits have been exceeded.	`https://letsencrypt.org/docs/rate-limits/`
`check-availability-delay`	integer	*The wait time in seconds between attempts to check if a domain is accessible via HTTP.	5
`check-availability-max-attempts`	integer	*The maximum number of attempts to check if a domain is accessible via HTTP.	10
`check-availability-timeout`	integer	*Timeout in seconds for checking if a domain is accessible via HTTP. If within the time defined by check-availability-timeout, no response code is received, the domain is considered to be unavailable.	5
`check-domain-cert-authority`	boolean	When the “Keep websites secured with free SSL Certificate” option is enabled, if you set this setting to "false", the Let’s Encrypt extension only replaces self-signed and expired SSL/TLS certificates. If you set it to "true", the extension also replaces SSL/TLS certificates that are not trusted by any of the root certificates in the trusted CA Root Certificates bundle (see the `verify` setting).	false
`send-notifications-interval`	date interval	Determines how often the Let’s Encrypt extension can send you notifications (for example, about a domain being secured with a Let’s Encrypt certificate or a Let’s Encrypt certificate being renewed). By default, the extension sends you one notification email per day. This email contains the information about all Let’s Encrypt-related events that occurred since the previous email was sent. To receive a separate email notification about each event right after it occurs, set this setting to 0.	1 day
`use-common-challenge-dir`		Sets usage of the common challenge directory: `/var/www/vhosts/default/.well-known/acme-challenge.` Note: The setting is valid in Plesk 12.5 and later for Linux.	true
`fallback-registration-email`		Used as a registration email address when SSL/TLS certificates are renewed. Used only when an email address for domain registration was not saved in ModulesSettings and an email address of a domain owner was not registered.	The Administrator email
`acme-directory-url`		Directory Resource URI. `ACME v1: https://acme-v01.api.letsencrypt.org/directory` `ACME v2: https://acme-v02.api.letsencrypt.org/directory`	`https://acme-v01.api.letsencrypt.org/directory` To issue wildcard SSL/TLS certificates, change the default value to `https://acme-v02.api.letsencrypt.org/directory`.
`acme-protocol-version`		The ACME version protocol. Possible values: `acme-v01`, `acme-v02`.	`acme-v01` To issue wildcard SSL/TLS certificates, change the default value to `acme-v02`.

Note: *The Let’s Encrypt extension checks if a domain is accessible via HTTP each time a new domain is secured because domains can be unavailable for some time after they are created in Plesk. All settings starting with check-availability are applied during this check.

Note: If you have Let's Encrypt extension version 2.0.3 or earlier installed, update the extension to version 2.1 or later to change Let's Encrypt settings using the panel.ini configuration file.