To generate a TLS certificate via Let’s Encrypt® you have to create a Let’s Encrypt® account and to select how to execute the Let’s Encrypt® challenge.
In order to proceed, select the Enable Let’s Encrypt® certificate generation checkbox.
Generating the Account
If you don’t have a Let’s Encrypt® account you must create one. You might need to create a new account if the one you have is already in use. To create a new account, click on the Create new account button.
A new dialog will ask you to input one or more contact URI and which ACME protocol directory to use.
Let’s Encrypt® accepts only email addresses as contact, other providers supporting the same protocol might accept other types of contacts, though (like phone numbers, for instance).
Email contacts must be provided using the appropriate URI, which always begins with mailto:
. For instance, if your email is mrwhite@example.com
, the contact will have to be provided in the following form: mailto: mrwhite@example.com
.The ACME directory chosen can be one among Let’s Encrypt® production, Let’s Encrypt® staging (for testing only) and custom. Let’s Encrypt® recommends testing against their staging environment before using their production environment, so that you can get things right before issuing trusted certificates and reduce the chance of you hitting Let’s Encrypt® rate limits. Check out Let’s Encrypt® Staging documentation to learn more.
Note: You need to approve Let’s Encrypt Terms of Service by clicking on the Yes button.
Selecting the custom entry you will be allowed to enter the URL to any other ACME protocol directory of your choice (useful in case you want to make use of other providers compatible with Let’s Encrypt®).
Selecting the type of challenge
The ACME protocol requires the certificate authority to engage in a challenge-response duet with FileZilla Server to prove that the domain name(s) for which the certificate is being issued is (are) really under your control. Two challenge methods are ssupported: usingan internal, minimal web server created on the fly by FileZilla Server, or using an existing, already running web server on a machine whose filesystem FileZilla Server has access to.
Perform challenges via an internal web server
In order for FileZilla Server to be able to respond to the Let’s Encrypt® challenges via an internal web server, you must set up properly the IP addresses and ports on which FileZilla Server listens. Let’s Encrypt® will always try to connect to the port 80 of the IPs associated with the names of the hosts for which the issuance of the certificate has been required.
It’s your responsibility to make sure that a connection to those IPs will be routed to the machine FileZilla Server is running on, that might require you to configure network elements and firewalls. By default, FileZilla Server will listen on all the available IPs and port 80, but you are free to modify that according to your specific network configuration.
Perform challenges via an external web server
In order for FileZilla Server to be able to respond to the Let’s Encrypt® challenges via an external web server, you have to specify the file system path to a folder on the external web server machine, such that FileZilla Server has the rights to write files into it. The external web server has to be configured to respond to GET requests rooted at /.well-known/acme-challenge/
using the aforementioned path. The Let’ Encrypt® authority will perform such GET requests to get the answer to its challenges.
By selecting the checkbox Create path if it doesn’t exist already, FileZilla Server will attempt to create the provided path on the fly.
Once support for Let’s Encrypt® is configured you can start generating new certificates via the Let’s Encrypt® service. To learn how to do that, please refer to the relevant section: How to Generate a certificate using Let’s Encrypt®.
The video tutorial below shows how to generate a TLS certificate via Let’s Encrypt.