How To Set Up Let's Encrypt In Plesk

Note: at this time the Let's Encrypt extension in Plesk requires that you disable any redirects to www and/or https during the setup or renewal process, otherwise it will fail to properly validate the token.
 
These instructions apply to Plesk Obsidian (v18.x) on Windows servers. For instructions for other versions of Plesk please contact our support department by emailing support@managed.com.
 
Let's Encrypt is a free SSL certificate run by a non-profit certificate authority. The certificates are valid for 90 days and can include multiple domains. Plesk features a plugin which allows these certificates to be easily installed on a domain and will renew them automatically every 60 days. If you'd prefer to have a certificate that's valid for a full year at a time, Managed.com offers a selection of selection of certificates.
 
Setting up Let's Encrypt can be done by customers in either shared environments or on a dedicated server. Please carefully follow the steps below:
  1. Important: Make sure that any domain you plan to secure has active DNS that points to the server hosting the site
  2. Login to Plesk
  3. Go to Domains > example.com > Hosting Settings
  4. Make sure the checkbox for SSL/TLS support is enabled
  5. Go to Domains > example.com and click on SSL/TLS Certificates
  6. At the bottom of the page, click Install in the section titled More options
  7. Select whether or not to include the following options:
    1. Secure the primary domain listed in Plesk
    2. Secure the wildcard (*.example.com) to cover all subdomains
    3. Include a www version of each selected domain
    4. Include a webmail version of each selected domain (webmail.example.com)
    5. Include a mail version of each selected domain (mail.example.com) for encrypting email
  8. Select any aliases to add to the certificate
  9. Click on Get it free
Pay careful attention to any errors that appear, as they will include information on why the issuance failed. Below are several common errors you may come across.
 
Let's Encrypt could not issue a certificate for my domain because the authorization token isn't available.
The most common cause of this error is due to DNS records not pointing to the server. Please verify that each domain's A record points to the server's IP address. If you're securing the www, mail, or webmail domains please check that these all have valid records as well.
 
The token isn't available but my DNS records are all correct.
Check to see if you can open the URL for the token listed in the error message (usually something like http://domain.com/.well-known/pki-validation/ebfwirt794tjr5gg2g4h8trfbjrfg8). If you're redirected to another page on your site, such as the home page, then your site's CMS is rewriting the web request URL. Please contact our support team for advice on how to proceed as the method for allowing the directory various between CMSes. If you aren't redirected and can view the file, but the URL is directed to https then you need to disable the https redirect in Plesk. If you're redirecting traffic to https through the web.config file then modify the rule to reflect the following:
<rewrite>
    <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
        	<add input="{HTTPS}" pattern="off" ignoreCase="true" />
			<add input="{REQUEST_URI}" negate="true" pattern="^/.well-known/*$" ignoreCase="true" />
        </conditions>
        <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
        </rule>
    </rules>
</rewrite>
Let's Encrypt reports a 404 error.
Try to browse to the token link in the error message (usually something like http://domain.com/.well-known/pki-validation/ebfwirt794tjr5gg2g4h8trfbjrfg8). If it resolves using https but displays a 404 error on http then the issue is likely that the acme-challenge site in IIS has stopped. Please contact our support department for assistance if you're on a shared server. Dedicated server customers may follow these steps:
  1. Connect to the server via RDP
  2. Right-click on the folder C:\inetpub\temp\appPools\acme-challenge, then click on Properties
  3. On the Security tab, check that the IIS_IUSRS group is listed and that it has read and write access on the folder
  4. Click Apply button
  5. Open IIS
  6. Click on Server Name > Application Pools and make sure that the acme-challenge application pool is running
  7. Click on Server Name > Sites > acme-challenge and make sure that the site is not stopped
  8. Re-issue SSL certificate in Domains > example.com > SSL/TLS Certificates
 

Add Feedback