Let's Encrypt extension

[custer]

Hi everyone,

We have released the new version of Let's Encrypt extension - v1.3.

Changes include:

1. Debian 6 is now supported
2. No more conflicts with alt-python-virtualenv on CloudLinux
3. Extension now ignores unsupported domains:
   1. Inactive (disabled/suspended) domains
   2. Wildcard subdomains
   3. Domains without web hosting
   4. IDN domains
4. Fixed PHP Warning: Invalid argument supplied for foreach
5. Users can now secure Plesk with www. prefix in hostname (https://github.com/plesk/letsencrypt-plesk/issues/11#issuecomment-180232416)
6. Store CLI options for certificate renewal (https://github.com/plesk/letsencrypt-plesk/issues/46)

Coming next: Let's Encrypt on Windows!

 

[DennisAm]

Great to see that a Windows version is in the works! Looking forward

 

[trialotto]

@DennisAm

There are already some possibilities to get the LE certification process working on Win based systems, as opposed to run the LE binary on a linux machine and then implementing the certificates (more or less) manually in IIS.

Have a look at the ACMESharp project on Github and/or use Certify for Windows (currently in alpha state).

Nevertheless, the integration with Plesk Panel is something that should be waited for (even though that should become more easy with before mentioned Github project).

Regards.......

PS If you want to, just start a personal conversation......in Dutch (mag best, kan ik ook lezen).

 

[custer]

Let's Encrypt v1.5 published. Changelog:

1. Windows support. Important: Plesk 12.5 MU#24 is required!
2. Translation added (ar, cs-CZ, da-DK, de-DE, el-GR, es-ES, fi-FI, fr-FR, he-IL, hu-HU, id-ID, it-IT, ja-JP, ko-KR, ms-MY, nb-NO, nl-NL, pl-PL, pt-BR, pt-PT, ro-RO, ru-RU, sv-SE, th-TH, tl-PH, tr-TR, uk-UA, vi-VN, zh-CN, zh-TW)
3. Bugfix: Always put .htaccess in the challenges folder (issues https://github.com/plesk/letsencrypt-plesk/issues/63 and https://github.com/plesk/letsencrypt-plesk/issues/82)

 

[DennisAm]

@trialotto
Thanks for your reply. I was aware of that and had an alternative running, but Plesk didn't show those certificates because they were not created using Plesk. That also means that they won't get included into backups, which makes it harder to set up SSL when a restoration is needed.

@custer
Thanks so much! Very happy to read that Let's Encrypt is now also available on Windows.
However, I get the following error when trying to install the extension:

Failed to install the extension: Executing C:\Program Files (x86)\Parallels\Plesk\admin\plib\modules\letsencrypt\scripts\post-install.php failed: Traceback (most recent call last): File "C:\Program Files (x86)\Parallels\Plesk\python\lib\runpy.py", line 162, in _run_module_as_main "__main__", fname, loader, pkg_name) File "C:\Program Files (x86)\Parallels\Plesk\python\lib\runpy.py", line 72, in _run_code exec code in run_globals File "C:\Program Files (x86)\Parallels\Plesk\python\lib\site-packages\virtualenv.py", line 2380, in main() File "C:\Program Files (x86)\Parallels\Plesk\python\lib\site-packages\virtualenv.py", line 853, in main symlink=options.symlink) File "C:\Program Files (x86)\Parallels\Plesk\python\lib\site-packages\virtualenv.py", line 1021, in create_environment site_packages=site_packages, clear=clear, symlink=symlink)) File "C:\Program Files (x86)\Parallels\Plesk\python\lib\site-packages\virtualenv.py", line 1187, in install_python mkdir(lib_dir) File "C:\Program Files (x86)\Parallels\Plesk\python\lib\site-packages\virtualenv.py", line 469, in mkdir os.makedirs(path) File "C:\Program Files (x86)\Parallels\Plesk\python\lib\os.py", line 157, in makedirs mkdir(name, mode) WindowsError: [Error 5] Access Denied: 'Lib'

 

[custer]

Hi Dennis,

Just in case: have you installed Plesk 12.5 MU#24 before installing the extension?

 

[DennisAm]

Yep, forgot to mention that. My apologies.

I'm running Windows Server 2012 R2, Plesk 12.5.30 Update #24.

Plesk displays that an error occurred during the installation of the extension, but also mentions that the extension was successfully installed (see screenshot below).
When I try to run Let's Encrypt from wihtin a subscription, I get the error "Error: Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: The system could not find the path specified."

 

[Kingsley]

Sub domain support?

 

[custer]

Sub domain support?

On our roadmap: https://github.com/plesk/letsencrypt-plesk/issues/19

 

[trialotto]

@custer (and @everyone interested),

Subdomain support is already present.

However, there are two ways of "thinking of subdomain support":

1) having a LE certificate for (only) sub.domain.tld: this is not supported (and should not be supported, in the light of security considerations)

2) having a LE certificate for domain.tld and associated (one or multiple) sub.domain.tld: this is supported, with the following notes

- domain.tld and (all) sub.domain.tld share the same LE certificate,
- the Let´s Encrypt interface is not quite convenient to assign the LE certificate,
- one can use the CLI for the Let´s Encrypt extension to assign the LE certificate to domain.tld and (one or multiple) sub.domain.tld,
- the usage of the CLI allows, in theory, to define (one or multiple) sub.domain.tld for which you want to use the LE certificate,

and the above is the status quo, as far as I am aware of, I can be mistaken.

Note that the widly demanded for "wildcard subdomain support" (read: subdomain support for *.domain.tld) is not the same as "subdomain support" (read: support for sub.domain.tld).

In essence, the "wildcard" approach is a lazy definition style, as opposed to the explicit style of defining the sub.domain.tld.

Let´s Encrypt does not or does not yet support the wildcard subdomain support, as far as I know of (and, again, it should not be supported, for security considerations).

However, one can use the CLI for the Let´s Encrypt extension to define multiple domains or subdomains at once, a so-called "for loop" is not even necessary.

Regards....

 

[Eddie Spoon]

Can it be used for email? One of our biggest support issues is users who can't use port 25 but then have to put up with self signed SSL warnings.

 

[EugeneKazakov]

Can it be used for email? One of our biggest support issues is users who can't use port 25 but then have to put up with self signed SSL warnings.

Hello Eddie,

It is a valid use case, take a look at the following configuration steps: https://github.com/plesk/letsencrypt-plesk/wiki/Secure-Mail-Server

 

[Eddie Spoon]

Hello Eddie,

It is a valid use case, take a look at the following configuration steps: https://github.com/plesk/letsencrypt-plesk/wiki/Secure-Mail-Server

Awesome, thanks. Any plans to get that functionality added to the CP?

 

[mrkman]

I am running version 1.5. I have noticed that once Let's Encrypt is enabled/applied to a domain name, there is *no* way to turn off the Let's Encrypt SSL certificate for that domain name. Can a button be added so it can be disabled/removed please?

 

[custer]

I am running version 1.5. I have noticed that once Let's Encrypt is enabled/applied to a domain name, there is *no* way to turn off the Let's Encrypt SSL certificate for that domain name. Can a button be added so it can be disabled/removed please?

Go to Hosting Settings on a domain and choose a different certificate or no certificate at all. This will effectively "turn off" Let's Encrypt for this domain.

 

[mrkman]

Cool man thanks!

 

[trialotto]

@mrkman (and @custer)

An answer has already been given by @custer and that procedure should be followed, but that is not all.

In addition, one should delete the let´s encrypt certificates in order to prevent that the LE extension updates the (unused) LE certificates in the background.

That is a whole different story: it requires some digging and working with SSH.

In short, a disable/remove button should be introduced into the LE extension.

Regards......

 

[Larsm]

hi,

i have this Problem with letsencrypt: What cabn i do??

Fehler bei der Ausführung von /opt/psa/admin/plib/modules/letsencrypt/scripts/pre-uninstall.php. Der Exitcode lautet 1 und die Ausgabe ist: [2016-10-27 13:05:13] ERR [extension/letsencrypt] Cannot uninstall scheduled task renew_certificates with error: Object not found: 0x
[2016-10-27 13:05:14] ERR [panel] Execution le-installer has failed with exit code 100, stdout: , stderr: E: Unable to locate package plesk-letsencrypt-pre
:
0: /opt/psa/admin/plib/pm/ApiCli.php:150
    pm_ApiCli::_filterResult(string 'le-installer', integer '100', string '', string 'E: Unable to locate package plesk-letsencrypt-pre
', integer '5')
1: /opt/psa/admin/plib/pm/ApiCli.php:143
    pm_ApiCli::_execCommand(string 'le-installer', string ''/opt/psa/admin/bin/modules/letsencrypt/le-installer'  'remove'', integer '5', array)
2: /opt/psa/admin/plib/pm/ApiCli.php:91
    pm_ApiCli::callSbin(string 'le-installer', array)
3: /opt/psa/admin/plib/modules/letsencrypt/library/Installer.php:96
    Modules_Letsencrypt_Installer::cleanup()
4: /opt/psa/admin/plib/modules/letsencrypt/scripts/pre-uninstall.php:6
ERROR: pm_Exception_ResultException: Execution le-installer has failed with exit code 100, stdout: , stderr: E: Unable to locate package plesk-letsencrypt-pre
 (ApiCli.php:150)

When i reinstall this extension i got this:

Fehler bei der Ausführung von /opt/psa/admin/plib/modules/letsencrypt/scripts/post-install.php. Der Exitcode lautet 1 und die Ausgabe ist:

 

[vlikhtanskiy]

Hi @Larsm!

Could you provide more details: What is output of command #plesk version ?

 

[TomBoB]

Cross post from https://talk.plesk.com/threads/how-to-create-a-webmail-domain-tld-certificate.339988/

Would be nice to be able to use the lets encrypt cert for domains to also use it to secure the webmail.domain.tld roundcube/horde subdomain