Historically SSL certificates have been costly. Enter: Let’s Encrypt. A free SSL provider with a massive amount of industry support.
Free Let’s Encrypt certificates are the best option for most use-cases as they’re really simple to install and cover end-to-end encryption for website visitors. However in select cases, like an online store, you may wish to use a commercial certificate instead. Read more on how to select your SSL certificate here.
Prepare to install your Let’s Encrypt certificate
There’s a few things you must do before you can generate your free certificate:
Ensure your domain is live
Let’s Encrypt uses HTTP validation to confirm you actually have access to your website. Since you’re installing Let’s Encrypt using Plesk, this validation is done automatically for you, however it also means that your site must be live (DNS updated and working) prior to enabling Let’s Encrypt. If your site is not live on the server where you’re activating Let’s Encrypt, the installation will fail. There is no way around this: the website must be live on the same server where you’re installing the certificate.
If your domain isn’t yet live with us, the following steps will ensure your Let’s Encrypt certificate will apply as soon after you make it live as possible.
- Make the necessary DNS changes to point the domain to us.
- Wait 30 minutes. Then flush Google DNS for the domain here. Flushing the Google DNS cache works because Let’s Encrypt currently uses Google DNS for its lookups.
- Use the steps below to install your Let’s Encrypt SSL certificate
How to Create a Let’s Encrypt Certificate
- Begin by logging in to Plesk
- Once in Plesk, find the domain that you wish to secure in the list. If you don’t see a list of domains, click “Websites & Domains” in the upper left corner, then click on the domain to see all options.
- Select the SSL/TLS Certificates button
- Choose Get it free under “Entry-level protection”. If you already have one and wish to edit what’s included in it, this button will say “Reissue Certificate” instead.
- Choose Install a free basic certificate provided by Let’s Encrypt
- Specify the email address that will be used for urgent notices and lost key recovery.
- You may be presented with some or all of these options to secure:
- Secure the domain name: Keep this checked
- Secure the wildcard domain: This is for advanced users only as it may require manually editing your DNS records. Unless you know you have a specific use-case for a wildcard certificate, do not enable the wildcard certificate option
- Include a “www” subdomain: Keep this checked. If you get an error after issuing the cert about www.<yourdomain> not working, you’ll need to attempt issuing the cert again, but exclude this option or create a DNS record for the www subdomain to work.
- Secure webmail: if you have your own VPS, we recommend enabling this. For all other users, keep it disabled.
- If you have domain aliases and/or subdomains, you’ll be presented with the option to include them in the certificate here, however be sure they are pointing to this hosting account and live: If any of your aliases or subdomains are not live, do not select them or your certificate will not be successfully issued.
- Assign the certificate to the mail domain: If you use your Websavers account to host your email (and not an external service like Google or Microsoft), we recommend enabling this option so that Plesk adds your SSL certificate to the mail server. Now, when setting up accounts with mail apps, you could opt to use <yourdomain> as the mail server address and you will not get an SSL certificate mismatch notification. Do not enable this if your mail is hosted with our Exchange hosting solution, or a 3rd party service.
- Click Get it free.
You’ve now got an SSL certificate!
Errors? See the troubleshooting section below.
Plesk automatically generates the CSR, sends it to Let’s Encrypt, retreives the certificate, installs it, then activates it for the domain.
- Now that you’ve got the cert, you may wish to force SSL to be active across your entire website.
- If you’re using a web application like WordPress, you may also find you need to adjust some of your image resources, or use a plugin to forcefully change all resource links to HTTPS. Here’s how!
A video walkthrough for the older version of Plesk Onyx can be found here.
If you recently updated your DNS and you get an error while issuing the certificate, be sure you don’t keep trying over and over as Let’s Encrypt only allows 4-5 failures before they institute a 60 minute cooling-down period (for the whole server!) If it doesn’t work after 60 minutes, wait 30 more. If it doesn’t work after that, wait 30 more and try again. It shouldn’t take longer than 2 hours.
If, after completing all the steps above, you get an error in Plesk indicating that the SSL certificate couldn’t be issued, please check the precise error against our list of possible Let’s Encrypt errors and solutions.
Any questions or feedback? Leave them in the comments.
Updated Mar 9, 2020 for Plesk Obsidian’s Certificate Management Changes. Originally written in 2016.