Documentation
4.10. Let's Encrypt client / CertBot¶
4.10.1. Introduction¶
The lets-encrypt resource allows SFTPPlus to automatically request SSL / X.509 certificates from Let's Encrypt's Certificate Authority.
It acts as an embedded certbot.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). It offers everyone a convenient way to get fairly large numbers of SSL/TLS/X.509 certificates, in an automated way, completely for free.
You can find out more about Let's Encrypt by visiting the dedicated website.
As this page focuses on configuration options, refer to the dedicated Let's Encrypt operations page.
You can only have a single lets-encrypt resource defined. All the file transfer services will use the same unique lets-encrypt resource.
As part of the lets-encrypt resource configuration you define the general options, while each service which uses Let's Encrypt certificate will have a dedicated option with the domain for which the certificate is issued .
Below is an example in which three file transfer services define the domain name for Let's Encrypt:
[resources/9ac4-1054-f0e4]
enabled = yes
name = Let's Encrypt Cert Generator
type = lets-encrypt
address = 0.0.0.0
port = 80
acme_url = https://acme-v02.api.letsencrypt.org/directory
contact_email = admin-contact@your-domain.tld
redirect_url = https://sftp.your-domain.tld/home/
[services/1c17-4485-878c]
name = FTPS Explicit
type = ftp
ssl_domains = ftps.files.example.com
[services/17c9-7aa6-2f35]
name = FTPS Implicit
type = ftpsi
ssl_domains = ftps.files.example.com
[services/de43-bc54-342a]
name = HTTPS Service
type = https
ssl_domains = www.files.example.com, files.example.com
4.10.2. enabled¶
- Optional
Yes
- Default value
Yes
- Values
Yes
No
- From version
3.42.0
- Description
Set to Yes to have Let's Encrypt automatically started when SFTPPlus starts.
Set it to No to have the resource stopped.
You can still manually start and stop the resource from the Local Manager.
4.10.3. address¶
- Optional
No
- Default value
N/A
- Values
IPv4 address
IPv6 address
Fully Qualified Domain Name (FQDN).
0.0.0.0
- From version
3.42.0
- Description
Address on which SFTPPlus' Let's Encrypt service will listen for validating the HTTP-01 challenge.
Use 0.0.0.0 to listen on all the available network interfaces.
4.10.4. port¶
- Optional
No
- Default value
80
- Values
Port number.
- From version
3.42.0
- Description
Port on which SFTPPlus' Let's Encrypt service will listen for validating the HTTP-01 challenge.
This must be a unique port number for the local machine, to avoid conflicts between different services.
On Unix-like systems, a root account is required for using ports below 1024.
4.10.5. acme_url¶
- Default value
https://acme-v02.api.letsencrypt.org/directory
- Optional
No
- Values
URL to the ACME Server endpoint.
- From version
3.42.0
- Description
When getting certificates from a server other than the public Let's Encrypt server, you can use this configuration option to instruct SFTPPlus to use a different ACME server.
Also, you can use it to point to the staging Let's Encrypt server at https://acme-staging-v02.api.letsencrypt.org/directory. Highly recommended during initial deployment and testing.
Most users don't need to change this configuration, and should use the default value.
4.10.6. contact_email¶
- Default value
Empty
- Optional
Yes
- Values
Comma-separated list of contact emails for this domain.
- From version
3.54.0
- Description
Optional email contact information provided to the ACME server.
You can provide multiple addresses as a comma-separated value.
Let's Encrypt can use these addresses to contact you for issues related to certificates obtained by SFTPPlus. For example, the server may wish to notify you about server-initiated revocation or certificate expiration.
Leave it empty to not provide any contact information.
4.10.7. redirect_url¶
- Default value
empty
- Optional
Yes
- Values
Absolute URL
- From version
3.52.0
- Description
This configuration option is used to define the URL to which any request made to this service is redirected, with the exception of Let's Encrypt validation requests.
4.10.8. debug¶
- Default value
'No'
- Optional
Yes
- Values
Yes
No
- From version
3.50.0
- Description
When enabled, the service will emit events with id 20000 containing low-level debug messages for the HTTP protocol used by Let's Encrypt.
Configuration changes are applied only to new connections. Existing connections respect the debug configuration used to initiate them.