How to install a Let's Encrypt SSL certificate in Plesk

Introduction

This guide configures Plesk Obsidian to automatically obtain a valid Let's Encrypt SSL certificate for your domain. The steps target Plesk Obsidian 18.x running on Linux distributions like AlmaLinux 9 or Ubuntu 24.04. You will enable automatic renewal so the certificate never expires.

Prerequisites

• A Plesk Obsidian 18.x license installed on the server.
• Root or Plesk Administrator privileges to run the command line tools.
• Domain name must be A or AAAA resolved to your server IP.
• Port 80 must be open in the firewall (firewalld/ufw) for validation.
• At least 256 MB of free memory is recommended for the plugin.

Step 1: Install the Let's Encrypt plugin

You must install the official Let's Encrypt plugin before you can request a certificate. Open the terminal and run the installation command provided by the Plesk repository. The script will automatically detect your OS and install the correct version of Certbot.

plesk-installer -y --enable-letsencrypt

Wait for the process to finish. You will see a progress bar and a confirmation message indicating the plugin is ready. Do not interrupt the process once it starts.

Installing Let's Encrypt plugin...
Installing Certbot...
Plugin installed successfully.

Step 2: Configure the firewall for validation

Let's Encrypt validation requires the server to accept HTTP traffic on port 80. If you are using firewalld on AlmaLinux or CentOS, ensure the port is open. Run the following command to allow incoming traffic on port 80.

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

If you are using ufw on Ubuntu, run this command instead.

ufw allow 80/tcp

Restart your web server to ensure it listens on port 80. For Nginx, run `systemctl restart nginx`. For Apache, run `systemctl restart httpd`. Ensure the web server is running before proceeding to the next step.

systemctl status nginx

Step 3: Request the SSL certificate

Use the Plesk command line tool to request the certificate for your specific domain. Replace your-domain.com with the actual domain name you want to secure. The tool will verify DNS records and generate the certificate files.

plesk letsencrypt request --domain your-domain.com --force

The command will output a success message if the validation passes. You will see the certificate path and expiration date in the output. If you have multiple domains, repeat the command for each one.

Requesting certificate for your-domain.com...
Certificate installed successfully.
Certificate path: /etc/letsencrypt/live/your-domain.com/

Step 4: Configure automatic renewal

Let's Encrypt certificates expire every 90 days. You must configure the system to renew them automatically. The Plesk plugin installs a cron job that checks for expiring certificates. Verify the cron job exists by checking the crontab for the root user.

crontab -l

You should see an entry running every 6 hours to check for renewal. If the entry is missing, the plugin installation failed. Run the following command to manually trigger a renewal test immediately.

systemctl restart certbot.timer

Check the status of the timer service to ensure it is active.

systemctl status certbot.timer

Verify the installation

Confirm the certificate is active by checking the expiration date. Run the following command to view the certificate details for your domain. The output should show a valid "Not After" date more than 90 days away.

openssl x509 -in /etc/letsencrypt/live/your-domain.com/fullchain.pem -noout -dates

You should see output similar to this:

notBefore=Jan 01 00:00:00 2024 GMT
notAfter=Apr 01 00:00:00 2024 GMT

Open a browser and visit https://your-domain.com. Click the padlock icon to verify the issuer is "Let's Encrypt" or "R3".

Troubleshooting

If the request fails with an error, check the logs for specific details. The most common error is "Connection refused" or "Timeout". This usually means port 80 is blocked or the web server is not running.

journalctl -u nginx -n 50

Check for syntax errors in your web server configuration files. If the web server fails to start, the certificate validation will fail. Run the following command to test the configuration syntax for Nginx.

nginx -t

If you see "syntax error", fix the file and restart the service. If the error is "Port 80 in use", check for conflicting services like Apache or another Nginx instance.

netstat -tulpn | grep :80

Ensure only one web server is listening on port 80. If you are using a reverse proxy, ensure the proxy is forwarding port 80 to the internal web server. If the error is "Invalid domain", verify that your DNS A record points to the correct IP address. Use the `dig` command to verify DNS resolution.

dig your-domain.com +short

If the IP returned does not match your server, update your DNS records. If the error is "Certificate not found", the previous installation might be corrupted. Remove the old certificate and try again.

rm -rf /etc/letsencrypt/live/your-domain.com

Run the request command again. If you encounter permission errors, ensure the Certbot process runs as root. Check the logs using the following command.

journalctl -u certbot -n 100

Look for lines starting with "ERROR". If the error mentions "chroot", ensure your OS supports chroot environments for Certbot. If you see "Failed to create directory", check disk space and permissions on the /etc/letsencrypt folder.

ls -ld /etc/letsencrypt

Ensure the directory is owned by root. If the issue persists, reinstall the plugin to reset the configuration.

plesk-installer -y --enable-letsencrypt

After reinstalling, run the request command again. If the certificate is still not installing, verify that the Plesk kernel is compatible with the latest Certbot version. Update Plesk to the latest patch level if necessary.