1#@!#!123s

: / proc / self / root / opt / psa / admin / share / modules / letsencrypt /
Filename : CHANGES.md
back
# 3.3.1 (14 May 2025)

* [-] Improved message of Let's Encrypt token unavailability. (EXTPLESK-8906)

# 3.3.0 (15 April 2025)

* [*] Added support for PHP 8.4 to ensure compatibility with future Plesk releases.
* [*] Internal improvements.

# 3.2.9 (14 January 2025)

* [+] Added the ability to secure mail hosting for domains without website hosting.

# 3.2.8 (26 April 2024)

* [*] Internal localization.

# 3.2.7 (29 March 2024)

* [*] Internal improvements.

# 3.2.6 (26 March 2024)

* [-] The "Exception: PHP Warning: Undefined property: stdClass::$challenges" error no longer occasionally appears in /var/log/plesk/panel.log in Plesk for Linux and %plesk_dir%\admin\logs\php_error.log in Plesk for Windows. (EXTLETSENC-1200)

# 3.2.5 (22 March 2024)

* [*] Improved localization.

# 3.2.4 (13 October 2023)

* [*] Internal improvements.

# 3.2.3 (10 October 2023)

* [*] Internal improvements.

# 3.2.2 (25 September 2023)

* [*] Internal improvements.

# 3.2.1 (20 July 2023)

* [-] Trying to log in to Plesk immediately after installation no longer fails with the "Your connection is not private" error. (EXTLETSENC-1219)

# 3.2.0 (15 June 2023)

* [*] Internal improvements.

# 3.1.13 (15 June 2023)

* [*] Internal improvements.

# 3.1.12 (25 May 2023)

* [*] Internal improvements.

# 3.1.11 (19 May 2023)

* [*] Internal improvements.

# 3.1.10 (19 April 2023)

* [*] Fixed broken links to KB articles in Plesk and its documentation.

# 3.1.9 (7 April 2023)

* [+] Added support for asynchronous order finalization in ACME protocol.

# 3.1.8 (5 April 2023)

* [+] Added support for the Plesk Premium Email (powered by Kolab) extension. A certificate can be issued and installed in the webmail client if the SSL It! extension's version is 1.12.8 or later.

# 3.1.7 (8 March 2023)

* [+] Added support for the SOGo Webmail extension. A certificate can be issued and installed in the webmail client if the SSL It! extension's version is 1.12.6 or later.

# 3.1.6 (21 February 2023)

* [*] Internal improvements.

# 3.1.5 (16 February 2023)

* [*] Internal improvements.

# 3.1.4 (8 February 2023)

* [-] The "Failed to read X509 certificate from PEM string" error no longer appears during the Plesk daily maintenance task. (EXTLETSENC-1182)
* [-] The "openssl_pkey_get_public(): Don't know how to get public key from this private key" error no longer appears during execution of the keep-secured cron job. (EXTLETSENC-1183)

# 3.1.3 (3 February 2023)

* [*] Internal improvements.

# 3.1.2 (16 November 2022)

* [*] Internal improvements.

# 3.1.1 (27 September 2022)

* [-] The extension now shows correct error messages if the Let's Encrypt service returns some errors. (EXTLETSENC-1171)

# 3.1.0 (20 September 2022)

* [*] Internal improvements.

# 3.0.0 (15 March 2022)

* [*] Converted the extension into the SSL It! plugin. In Plesk Obsidian 18.0.22 and later, it is no longer possible to issue and manage Let's Encrypt certificates without the SSL It! extension.    
    
    Note: The upgrade from the Let's Encrypt extension 2.x to 3.0.0 automatically installs SSL It! (if you do not have it installed yet).

# 2.15.0 (15 February 2022)

* [!] According to the [deprecation plan](https://docs.plesk.com/release-notes/obsidian/deprecation-plan/), we hide the Let's Encrypt interface elements. This change was announced in the [Let's Encrypt 2.14 release](https://docs.plesk.com/release-notes/obsidian/change-log/#lets-encrypt-2.14.0). For now, you can bring back the Let's Encrypt interface elements by adding the following lines to the `panel.ini` file:

      [ext-letsencrypt]      
      showInterface = true

    On March 15, 2022 (Let's Encrypt release 3.0.0), we completely convert the extension into the SSL It! plugin. It will no longer be possible to issue and manage Let's Encrypt certificates without the SSL It! extension in Plesk Obsidian 18.0.22 and later. 

    If your Plesk does not have the SSL It! extension installed, the Let's Encrypt release 3.0.0 will automatically install it.

* [*] Removed the code related to the deprecated ACMEv1 protocol from the Let's Encrypt extension. [Let's Encrypt stopped using ACMEv1](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430) to issue certificates.

# 2.14.0 (14 December 2021)

* [!] **Changing Let's Encrypt from a standalone extension into a plugin for SSL It!**

In February 2022, we plan to change Let’s Encrypt into a plugin for the SSL It! extension.

**Will I lose any Let's Encrypt features?**

You will not! The SSL It! extension already has all the features Let’s Encrypt has and more. The only change is that Let’s Encrypt stops being a standalone extension and starts working only in tandem with SSL It!

**Which Plesk versions will it affect?**

Plesk Obsidian 18.0.22 and later. Earlier Plesk versions do not receive either SSL It! or Let's Encrypt updates.

**How can I continue working with Let's Encrypt certificates?**

- If your Plesk version is 18.0.22 and later, install SSL It! and use it from now on.
- If your Plesk version is 18.0.21 and earlier, update Plesk to version 18.0.40, install SSL It!, and then use it from now on. You can still manage Let's Encrypt certificates using the maintenance-only fork of the Let's Encrypt extension (it comes with no new features, improvements, or bug fixes).

**How and when will the change go into effect in Plesk 18.0.22 and later?**

We are making this change in three steps: 

- On December 14, 2021 (Let’s Encrypt release 2.14.0), we announce the changes in the  [Plesk Change Log](https://docs.plesk.com/release-notes/obsidian/change-log/) and Plesk UI notifications.
- On February 15, 2022 (Let’s Encrypt release 2.15.0), we hide the Let’s Encrypt UI elements. At that point, you will still be able to bring them back by adding the following lines to the `panel.ini` file: 

      [ext-letsencrypt]      
      showInterface = true
      
- On March 15, 2022 (Let’s Encrypt release 3.0.0), we completely change the extension to an SSL It! plugin. It will no longer be possible to manage Let’s Encrypt certificates in Plesk Obsidian 18.0.22 and later without SSL It! 
If you have not installed SSL It! by yourself, Let’s Encrypt release 3.0.0 will automatically install it for you. 

    *Note*: The `showInterface` setting in the `panel.ini` file (mentioned above) stops working from this point on. Keeping it will not hinder your Plesk server in any way. However, we recommend that you remove the `showInterface = true` line from `panel.ini` to declutter the file content.      

**Why do you make these changes to the Let’s Encrypt extension?**

Less than 10% of all Plesk servers use Let’s Encrypt without SSL It! Plus, combining the SSL It! and Let’s Encrypt extensions offers more features than Let’s Encrypt alone.

# 2.13.8 (16 November 2021)

* [-] When it takes more than two minutes to issue an SSL/TLS certificate, the extension no longer fails with the "JWS has an invalid anti-replay nonce" error. (EXTLETSENC-1084)
* [!] The extension no longer supports the `cli.ini` legacy configuration file. To manage the extension settings, use the `panel.ini` file instead.  

# 2.13.7 (29 October 2021)

* [+] The extension now reissues a certificate that secures Plesk if the Plesk hostname was changed.

* [-] During the installation or update of the Let’s Encrypt extension, it no longer tries to reissue a certificate that secures Plesk if this certificate was issued to a domain. (EXTLETSENC-1077) 

# 2.13.6 (15 October 2021)

* [*] Internal improvements.

# 2.13.5 (14 October 2021)

* [*] Internal improvements.

# 2.13.4 (23 June 2021)

* [*] To not exclude the www and/or webmail SANs when the issuance of a SAN certificate failed, add the following lines to the `panel.ini` file:
            
       [ext-letsencrypt]  
       require-www-webmail-sans = true

# 2.13.3 (21 May 2021)

* [-] The extension now shows a human-readable error message if a user tries to secure a domain whose name is longer than 64 characters. (EXTLETSENC-724)  

# 2.13.2 (28 April 2021)

* [-] The extension now reissues a certificate that secures a cloned Plesk instance after the Plesk hostname was changed during cloning. (EXTLETSENC-888)  

# 2.13.1 (20 April 2021)

* [!] The extension will no longer be able to secure new domains during their creation. This feature is now available in the SSL It! extension only.  

# 2.13.0 (01 April 2021)

* [*] New domains can now be automatically secured during their creation in one of the following cases: 

    - The SSL It! extension is installed and enabled.
    - The `panel.ini` setting `enable-securing-new-domain` is turned on. By default, the setting is turned off. To turn it on, add the following lines to `panel.ini`:
    
            [ext-letsencrypt] 
            enable-securing-new-domain = true

* [!] Starting with its next release, the extension will not be able to secure new domains during their creation. This feature will be available in the SSL It! extension only.   

# 2.12.7 (24 March 2021)

* [-] The extension now shows the "Renew" button instead of "Install" if a domain is already secured with a Let's Encrypt certificate. (EXTLETSENC-971)

# 2.12.6 (16 February 2021)

* [*] Internal improvements.

# 2.12.5 (3 February 2021)

* [-] It is now possible to secure the www subdomains of domain aliases with wildcard SSL/TLS certificates. The fix works for the standalone Let's Encrypt extension only. For Let's Encrypt in the SSL It! extension, the issue still remains and will be fixed later. (EXTLETSENC-568)
* [-] It is now possible to secure the Plesk login page with an SSL/TLS certificate if the server hostname is set up as the custom Plesk login URL, while another domain is set up as the default one for the server IP address. (EXTLETSENC-980)
* [-] The extension now shows a clear error message if an SSL/TLS certificate cannot be issued because of misconfigured IPv6 addresses. (EXTLETSENC-752)
  
# 2.12.4 (8 December 2020)

* [*] The extension can now automatically issue SSL/TLS certificates only for those domains
that Plesk verified to be resolvable. Users will no longer see an error from Let's Encrypt occurred when the extension failed to secure 
non-resolvable domains.

    This improvement will be gradually turned on by default for all Plesk Obsidian installations. 

# 2.12.3 (24 November 2020)

* [-] The extension no longer sends repetitive email notifications about usage of the deprecated API protocol. (EXTLETSENC-945, EXTLETSENC-946)

# 2.12.2 (16 October 2020)

* [-] Translated the Let's Encrypt description shown in the SSL It! extension. (EXTLETSENC-932)

# 2.12.1 (8 October 2020)

* [-] The Let's Encrypt extension installed without the SSL It! extension cannot automatically renew SSL/TLS certificates that secure mail. 
The extension now shows the corresponding message and suggests installing SSL It!. (EXTLETSENC-884)

# 2.12.0 (17 September 2020)

* [+] The extension now supports a new chain of trust based on [ISRG Root](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html). 
Before January 11, 2021, the old IdenTrust root remains the default one, while the new ISRG Root is an alternative one. 
After January 11, 2021, the extension will issue SSL/TLS certificates based on the new ISRG Root, while the old IdenTrust root will become an alternative one.

    To have the extension issue SSL/TLS certificates based on the alternative root (which is ISRG Root before January 11, 2021, and IdenTrust after this date), add the following lines to panel.ini:

        [ext-letsencrypt]
        use-alternate-root = true

* [-] Improved an error message shown when the "Keep secured" task fails if the email address of a domain
owner is missing. (EXTLETSENC-887)

# 2.11.1 (11 August 2020)

* [-] Improved the overall performance of the Let's Encrypt extension as a plugin of the SSL It! extension. (EXTLETSENC-890)

# 2.11.0 (9 July 2020)

* [-] Sped up the `remove-expired-tokens.php` task. Expired tokens are now removed faster from the `acme-challenge` directory
on servers with a large number of domains. (EXTLETSENC-845)
* [-] A certificate can now be issued for a domain that is used to access Plesk (the "Customizing Plesk URL" feature). (EXTLETSENC-874)
* [-] The `server` setting of `panel.ini` is now removed as deprecated. (EXTLETSENC-879)

# 2.10.2 (19 June 2020)

* [-] Panel.ini Editor now shows all necessary Let's Encrypt settings. (EXTLETSENC-648)
* [-] After a Plesk daily task was executed, the "PHP Fatal error: Modules_Letsencrypt_CustomInfo" error no longer appears in the logs. (EXTLETSENC-861)

# 2.10.1 (16 June 2020)

* [-] The extension can now issue an SSL/TLS certificate to secure the server hostname
if no domain with this hostname and no default website exist in Plesk for Windows. (EXTLETSENC-855)
* [-] The extension no longer fails to issue SSL/TLS certificates if the common challenge directory support is enabled
and the `plesk` binary path is absent from the IIS process environment. (EXTLETSENC-854)

# 2.10.0 (28 May 2020)

* [-] Automatic renewal of Let's Encrypt certificates no longer fails when a domain has a large number of secured subdomains (more than 200). (EXTLETSENC-644)
* [-] Challenge token files (which are created after certificates failed to be renewed or issued) are now deleted after 3 months.
The extension's folders are no longer cluttered. (EXTLETSENC-676)
* [-] In Plesk for Windows with Bind, wildcard challenge DNS records are now added automatically to the DNS zone of a domain 
that you try to secure with a wildcard certificate. (EXTLETSENC-813)

# 2.9.0 (26 March 2020)

* [+] After Plesk cloning, the extension now tries to automatically secure cloud images and cloned images of Plesk Obsidian with SSL/TLS certificates from Let's Encrypt.
* [+] After Plesk was initialised, the extension now tries to automatically secure Plesk with an 
SSL/TLS certificate from Let's Encrypt. 
* [*] The extension now uses POST requests instead of GET requests in accordance with the [Let's Encrypt decision](https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380). 
* [*] Removed the additional check of SSL/TLS certificates implemented because of the [Let’s Encrypt bug](https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864).
The check is no longer relevant.
* [-] The extension now automatically secures both 8443 and 443 ports during Plesk Obsidian installation. (EXTLETSENC-679)
* [-] If the DNS server is disabled, error messages are no longer shown in `panel.log` after wildcard SSL/TLS certificates were issued. (EXTLETSENC-707)
* [-] In Plesk for Linux, the "Exception: PHP Warning: array_filter" error messages are no longer reported when issuing wildcard SSL/TLS certificates. (EXTLETSENC-720)
* [-] A clear error message is now shown when users try to issue wildcard SSL/TLS certificates but the corresponding feature is disabled. (EXTLETSENC-741)
* [-] Auto-renew of SSL/TLS certificates no longer fails after a secured domain or subdomain was renamed. (EXTLETSENC-768)
* [-] Decreased the possibility of rare issues when IDN domains could not be secured with SSL/TLS certificates from Let's Encrypt. (EXTLETSENC-573)

# 2.8.6 (13 February 2020)

* [-] If an automatic renewal of a Let's Encrypt certificate fails with the "Detail: Order's status ("pending") is not acceptable for finalization" or "Detail: No order for ID \*\*\*\*\*\*\*\*\*" error, the order is removed automatically. The next automatic renewal should complete with no errors. (EXTLETSENC-782)

# 2.8.5 (07 February 2020)

* [-] If users face the "No order for ID" error when they renew their SSL/TLS certificates, the extension fixes the error in the background and the users are asked to issue an SSL/TLS certificate once again, which helps in most cases. (EXTLETSENC-765)

# 2.8.4 (05 November 2019)

* [-] Renewing a certificate issued via the Let's Encrypt extension no longer results in an endless loading screen if the corresponding registration file is corrupted. (EXTLETSENC-552)
* [-] (Plesk Obsidian) Issuing a certificate via the Let's Encrypt extension no longer fails if a certificate for a domain with the same name had already been issued earlier. (EXTLETSENC-577)
* [-] Creating a customer without a subscription in Plesk with the Let's Encrypt extension installed and the "secure-new-domain = on" option specified in the `panel.ini` file no longer results in an error. (EXTLETSENC-697)

# 2.8.3 (24 October 2019)

* [+] Introduced the `allow-wildcard-certificates` option (true by default) under the `ext-letsencrypt` section in the `panel.ini` file.
If set to false, the option hides the feature of issuing
wildcard SSL/TLS certificates in the interfaces of the Let's Encrypt and SSL It! extensions.
    
    **Note**: For the same purpose, users could earlier use the `acme-protocol-version` setting with the `acme-v01` value. 
    If you have this configuration, we recommend that you start using `allow-wildcard-certificates` set to false because
    the ACMEv1 protocol will soon reach end of life.
    
* [*] The extension now consumes less server resources to issue SSL/TLS certificates.    
* [*] Updated the list of trusted root certificates with those from Mozilla CA bundle.

# 2.8.2 (18 July 2019)

* [-] The 'rsa-key-size' setting in the 'panel.ini' file now again sets an RSA key size. (EXTLETSENC-714)
* [-] The webmail client of an add-on domain is no longer changed to the client of the main domain
(or even disabled if webmail was disabled for the main domain) when any of the following actions are done to the 
SSL/TLS certificate of the main domain: issuing, manual or automatic renewal, enabling "Keep websites secured", 
or unassigning. (EXTLETSENC-603)

# 2.8.1 (4 July 2019)

* [-] Securing Plesk with SSL/TLS certificates from Let's Encrypt is now again available in 
Tools & Settings > SSL/TLS certificates. (EXTLETSENC-699)
* [-] It is now possible to issue wildcard SSL/TLS certificates from Let's Encrypt
if the DNS server component is not installed.  (EXTLETSENC-558)

# 2.8.0 (28 May 2019)

* [*] ACMEv2 is now used by default. It makes issuing wildcard certificates also available by default 
with no need to additionally configure the extension to support ACMEv2.
* [*] If ACMEv2 is used, certificates that secure a domain plus webmail are now automatically renewed even if webmail is disabled 
for the domain. 
* [-] If the Plesk database contains a corrupted certificate, the "Keep websites secured" option and the automatic
renewal of certificates now work for all certificates except the corrupted one. (EXTLETSENC-681)
* [-] The extension no longer suggests securing webmail if mail management functions are disabled in Plesk. (EXTLETSENC-674)
* [-] A corrupted certificate in the Plesk database no longer causes unclear error messages in the Let's Encrypt interface. (EXTLETSENC-659)
* [-] Improved the error message shown when there is an attempt to issue a Let's Encrypt certificate for a website that 
cannot pass HTTP challenge. (EXTLETSENC-653) 
* [-] The Plesk mail server can now be secured with ECDSA certificates. (EXTLETSENC-650)
* [-] If debug logging was enabled and then the Let's Encrypt extension was installed while SSL It! was not, excessive messages
informing that SSL It! was not installed are no longer shown in logs. (EXTLETSENC-641)
* [-] ECDSA certificates no longer occasionally fail to be issued and installed. (EXTLETSENC-640) 
* [-] ECDSA certificates can now be issued for IDN domains. (EXTLETSENC-636)
* [-] If a certificate secures a domain plus a subdomain that is an alias for the domain (alias.example.com),
the certificate is now correctly automatically renewed without excluding the alias SAN. (EXTLETSENC-626) 
* [-] The "Secure with an SSL/TLS Certificate" section is no longer shown when wildcard subdomains are created
because Let's Encrypt cannot secure them. (EXTLETSENC-612)
* [-] The "Keep websites secured" option no longer unnecessary reissues certificates trying to secure SANs
(subdomains, domain aliases, or webmail) that do not exist or cannot pass HTTP challenge. "Keep websites secured" now
checks if there are available SANs that can be secured and only then issues a certificate to secure them. (EXTLETSENC-571)
* [-] A wildcard certificate issued for the main domain no longer occasionally fails to secure a subdomain of the domain. (EXTLETSENC-550)
* [-] Configured Docker Proxy Rules can no longer hinder the performance of the Let's Encrypt extension. (EXTLETSENC-11)

# 2.7.3 (24 January 2019)

* [*] Increased stability of issuing ECDSA certificates.
* [*] The "Keep your websites secured with free SSL/TLS certificates" option no longer occasionally incorrectly prolongs an issued SSL/TLS certificate. 

# 2.7.2 (17 January 2019)

* [*] In Plesk for Linux 17.8 and later, the extension now supports issuing ECDSA certificates. To have the extension issue certificates signed with ECDSA, add the following lines to the `panel.ini` file:

      [ext-letsencrypt]
      key-algorithm = ECDSA
      ecdsa-curve-name = prime256v1

* [-] Improved the "Adding Your Own Subscription" screen: the "Secure the domain with Let's Encrypt" section is now placed correctly. (EXTLETSENC-633)

# 2.7.1 (29 November 2018)

* [*] Added integration with the SSL It! extension.
* [*] Updated the list of trusted root certificates with those from Mozilla CA bundle.
* [*] Updated the information about the limit of certificates that can be issued per a registered domain, per a week. Now the messages show the limit of 50 certificates.

# 2.7.0 (31 October 2018)

* [*] Expired wildcard certificates can now be renewed automatically.
* [*] Resolved a number of compatibility issues with Plesk Onyx 17.9.
* [-] Email addresses used for issuing certificates are now included in Plesk backups. (EXTLETSENC-570)

# 2.6.1 (06 July 2018)

* [-] Issuing a wildcard SSL/TLS certificate via the Let’s Encrypt extension page no longer fails with an incorrect redirect. (EXTLETSENC-548)

# 2.6.0 (05 July 2018)

* [+] Users can now issue wildcard SSL/TLS certificates and secure the main domain, subdomains, domain aliases, and webmail with them. By default, Let’s Encrypt uses ACMEv1. For issuing a wildcard SSL/TLS certificate, users need to configure the Let’s Encrypt extension to use ACMEv2. [Here you can read how to do so](https://docs.plesk.com/en-US/onyx/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/getting-free-wildcard-ssltls-certificates-from-let%E2%80%99s-encrypt.79603/). Currently, wildcard SSL/TLS certificates are not renewed automatically. This feature is planned to be added later.
* [*] Improved chances of successful Let's Encrypt HTTP challenge validation by using general locations for `.well-known/acme-challenge`. This helps issue an SSL/TLS certificate if a domain has some specially configured rewrite rules (certain web applications configure them by default) or access restrictions. You can revert this improvement by adding the following lines to the `panel.ini` file:

      [ext-letsencrypt]
      use-common-challenge-dir = false

* [*] Starting with Let’s Encrypt 2.6.0, the `server` setting is replaced with `acme-directory-url`. Now the `server` setting is still supported but it will be deprecated in the future Let's Encrypt updates. We recommend that users replace the `server` setting with `acme-directory-url` in the `panel.ini` file.
* [*] Improved messages for most frequent Let's Encrypt errors.
* [-] Now, to renew a Let's Encrypt SSL/TLS certificate created via the CLI, the email specified in the CLI command is used. (EXTLETSENC-498)

# 2.5.3 (14 March 2018)

* [-] Fixed the issue where the text on the "Secure domain" page was displayed in English regardless of the user's chosen interface language. (EXTLETSENC-481)
* [-] Fixed the localization issue with locales except en-US. In this issue the message about a failed challenge ended with a placeholder instead of failure details. (EXTLETSENC-480)
* [-] Fixed the link to the Let's Encrypt website on the "Secure domain" page. (EXTLETSENC-482)

# 2.5.2 (05 March 2018)

* [-] Fixed the issue where, in Plesk 12.5, the Let’s Encrypt form displayed locale messages incorrectly. (EXTLETSENC-473)

# 2.5.1 (27 February 2018)

* [*] Improved the extension code to make delivering future improvements easier.
* [-] Fixed the issue where, if the "Keep secured" option and at least one of the "secure webmail"/"secure www" options were enabled in Let's Encrypt settings for a domain whose name contained uppercase letters, Let's Encrypt tried retrieving certificates every hour, exceeding rate limits and sending misleading email notifications to the domain's owner. (EXTLETSENC-447)
* [-] Fixed the issue where, if the "Keep secured" option was enabled in Let's Encrypt settings for a domain for which webmail was disabled, the domain's owner received daily email notifications about Let's Encrypt trying and failing to secure webmail. (EXTLETSENC-457)
* [-] Fixed the issue where domain aliases with names in uppercase (e.g. ALIAS.domain.tld) were shown as unsecured in Let's Encrypt even if they were, in fact, secured with a Let's Encrypt certificate. (EXTLETSENC-250)
* [-] Fixed the issue where renewing the Let's Encrypt certificate for a domain with a wildcard subdomain resulted in the subdomain becoming inaccessible. (EXTLETSENC-395)
* [-] Fixed the issue where, in Plesk Web Admin Edition, customers received notifications about Let's Encrypt certificates' renewal even if these notifications were disabled in "Tools&Settings" > "Notifications". (EXTLETSENC-427)
* [-] Fixed the issue where trying to secure webmail for a domain using Plesk Premium Email with a Let's Encrypt certificate resulted in an error. (EXTLETSENC-365)
* [-] Fixed the issue where Let's Encrypt challenges failed for domains with a custom MIME type configured for "." (extensionless files). (EXTLETSENC-364)
* [-] Fixed the issue where renewing the Let's Encrypt certificate securing Plesk stalled indefinitely if the number of IP addresses on the server was very large (40-50 or more). (EXTLETSENC-367)

# 2.5.0 (07 December 2017)

* [+] Let's Encrypt extension can now automatically keep all subscription's websites secured. It finds subscription's add-on domains, subdomains, aliases, www, or webmail domains without a certificate, or with a self-signed or expired certificate, and secures them with a free Let's Encrypt certificate. To enable this feature, open the hosting plan or subscription settings, "Additional Services" tab, and select "Keep websites secured with free SSL Certificate" in the list next to "Let's Encrypt". The check runs each hour by default, which can be configured in Tools & Settings > Scheduled Tasks > "Extension letsencrypt" task.
* [-] Email address on an IDN domain could not be used to issue a Let's Encrypt certificate for Plesk Panel or a domain. (EXTLETSENC-372, EXTLETSENC-399)
* [-] In email notifications, IDN domains were written in punycode. (EXTLETSENC-389)
* [-] IDN domain used for Plesk Panel could not be secured. (EXTLETSENC-371)
* [-] When automatically renewing a certificate, the extension attempted and failed challenges on disabled domain aliases, included in the current certificate. This resulted in excessive email notifications. Now the extension detects such domain aliases and does not attempt challenges on them. (EXTLETSENC-391)
* [-] The extension attempted to automatically renew certificates for suspended and disabled domains, which failed and caused excessive email notifications. (EXTLETSENC-375, EXTLETSENC-387)
* [-] Domains without SSL/TLS support had the Let's Encrypt button, allowing users to issue certificates, which could not be used afterwards. (EXTLETSENC-127)
* [-] Disabled domain aliases had the Let's Encrypt button, allowing users to attempt to issue a certificate. (EXTLETSENC-397)
* [-] Securing Plesk Panel with CLI command did not complete: the certificate was issued and saved to server storage, but was not applied. (EXTLETSENC-374)

# 2.4.0 (16 October 2017)

* [+] The customers are now notified by email about automatic certificate renewal, both successful and failed. This behaviour can be configured in Tools & Settings – Notifications.
* [*] In error reports, technical details are now grouped together in a collapsed text block.
* [*] The certificate used for securing mail service will now be renewed and applied automatically. Several issues with renewing certificates were fixed.
* [*] On Windows servers, domain certificates used for securing Plesk Panel are now actually renewed instead of removing old certificate and issuing a new one. (Only for Plesk 17.8 and later.)
* [-] When creating a subscription or domain with an internationalized domain name, automatic installation of a Let's Encrypt certificate failed. (EXTLETSENC-329)
* [-] If Let's Encrypt Authority rejects the request with "Policy forbids issuing for name", the error message now provides relevant information and a reference link. (EXTLETSENC-202)
* [-] The certificate used for securing Plesk Panel was not shown in the certificate repository. (EXTLETSENC-187)
* [-] Under certain circumstances, the certificate for Plesk Panel was not renewed upon updating the Let's Encrypt extension from versions earlier than 2.0. (EXTLETSENC-322)
* [-] When issuing a certificate for a webmail addon domain, if an error occurred, the error message did not provide a relevant explanation. (EXTLETSENC-321)
* [-] On Windows servers, symbolic links to certificates were created with extra `\` symbols, which prevented opening them with some applications, for example with `notepad.exe`. (EXTLETSENC-315)

# 2.3.0 (31 August 2017)

* [+] When creating a subscription, add-on domain, or subdomain, it can be immediately secured with a Let's Encrypt certificate. The corresponding checkbox on the subscription or domain creation page is not selected by default. To make it selected by default, add the following setting in the `panel.ini`:

      [ext-letsencrypt]
      secure-new-domain = true
      
* [*] The Let's Encrypt extension now explains common errors that can happen when issuing a certificate and gives instructions on resolving them.
* [-] When using Let's Encrypt CLI for issuing a certificate, the alternative domain names, passed as command parameters, were not included in the cerfificate. (EXTLETSENC-104)
* [-] An error message was shown when the extension could not clean up certain temporary files after issuing a certificate. Now a warning message is shown instead. (EXTLETSENC-106)
* [-] Under certain circumstances, on Plesk 12.5 servers, issuing a certificate on a subscription with incorrect DNS configuration resulted in a 'PHP fatal error'. (EXTLETSENC-256)
* [-] Under certain circumstances, if the web server restarted during the process of renewing a certificate, it could not access the certificate file, which resulted in failure to restart. (EXTLETSENC-213)
* [-] Under certain circumstances, on Plesk 12.5 servers, a certificate renewal task failed with 'DEBUGGER DETECTED' message. (EXTLETSENC-255)
* [-] The symbolic links to issued certificates were created with Unix-style path separator, which resulted in them being unreadable. (EXTLETSENC-235)

# 2.2.2 (20 July 2017)

* [*] To prevent Let's Encrypt extension from automatically securing Plesk Panel on installation, add the following setting in `panel.ini` before installing or updating the extension:

      [ext-letsencrypt]
      disable-panel-auto-securing = true

* [-] In certain cases, when installing or upgrading the extension, a valid certificate used for securing Plesk Panel was detected as insecure and replaced with Let's Encrypt certificate. (EXTLETSENC-222)
* [-] Setting the `verify` option to `true` in panel.ini config section for Let's Encrypt extension resulted in inability to connect to the Let's Encrypt CA servers. (EXTLETSENC-223)
* [-] The command line interface did not allow to issue certificates for domains with `www` prefix. (EXTLETSENC-226)

# 2.2.1 (12 July 2017)

* [-] The extension incorrectly handled errors in communicating with Plesk Panel, which disrupted the functioning of extension itself. Now it correctly handles such errors, shows an explaining message and continues working when possible. (EXTLETSENC-221)

# 2.2.0 (11 July 2017)

* [!] This update contains changes, affecting both Let's Encrypt and Security Advisor extensions. Please also update Security Advisor to version 1.4.1 or later.
* [+] Plesk Panel can now be secured with a Let's Encrypt certificate. The corresponding setting is now available at the SSL/TLS Certificates page.
* [+] Upon installing or upgrading (either at Plesk installation or separately), the extension checks that a trusted certificate is used for Plesk Panel. If the extension detects a non-trusted (for example, self-signed) certificate, it automatically attempts to replace it with a trusted certificate from Let's Encrypt CA. Thus, in most cases, a fresh installation of Plesk Panel is secured since the first login.
* [*] The extension now detects and renews Let's Encrypt certificates, obtained with Security Advisor for securing Plesk Panel.
* [*] Renewing the Let's Encrypt certificates is now done at a random time within the day when the certificate is due to renewal. This helps evenly spreading the load on Let's Encrypt Certificate Authority and enables issuing more free certificates.
* [-] Cases, when IPv6 was disabled for a subscription but an external DNS resolved the domain name to an IPv6 address, were not detected. This resulted in failing attempts to create a certificate. Now Plesk correctly detects such cases and shows a message, explaining the problem. (EXTLETSENC-182)
* [-] The extension was not able to renew certificates, issued before updating the extension to version 2.0 for domain names with uppercase letters. (EXTLETSENC-211)
* [-] The subscription's certificate README file was missing a link to the Certbot documentation. (EXTLETSENC-166)
* [-] A failed certificate installation led to exhausting the Let's Encrypt rate limits for a domain, which resulted in inability to renew the certificate. (EXTLETSENC-198)
* [-] On Windows servers, Renewing certificate for webmail.<domain.tld> failed. (EXTLETSENC-164)

# 2.1.0 (18 May 2017)

* [+] It is possible to include webmail to Let's Encrypt certificate request and secure both the domain and webmail with this certificate.
* [*] Let's Encrypt custom settings can be configured via the `panel.ini` file.
* [-] After a certificate for a subdomain had been issued, it was impossible to renew the certificate for the parent domain. (EXTLETSENC-105)

# 2.0.3 (13 April 2017)

* [*] The extension now logs its communication with the Let's Encrypt servers in the "panel.log". This enables better troubleshooting when there are some issues with requesting a certificate.

# 2.0.2 (06 April 2017)
* [*] Before requesting a certificate for multiple domain names, the extension verifies the ownership of each domain name included in the request. If a domain name passes the verification but its "www" counterpart fails it, the latter is excluded from the certificate signing request. After verification is finished, a warning message listing the excluded domain names is displayed.
* [*] For each secured domain, the extension creates a symbolic link to the certificate. When the extension renews the certificate, it updates the link, so that the link always points to the latest certificate.
* [-] On Windows 2012 and Windows 2016 servers, renewed certificates were not added to IIS.

# 2.0.1 (28 March 2017)
* [-] Let's Encrypt certificates could not be issued if no list of trusted root CAs could be found on the server. (EXTLETSENC-82)

# 2.0.0 (27 March 2017)
* [+] Domain aliases support added
* [+] IDN domains support
* [*] Granular and reliable renew process: the extension now performs a daily check for certificates which are about to expire and renews them not earlier than 30 days before their expiration
* [*] Replaced Python-based certbot with PHP-based client
* [-] Fixed installation issues with python dependencies when 3rd-parties upgrade breaks compatibility
* [-] Fixed python-related issues (virtualenv and so on) on Windows

# 1.9 (8 October 2016)
* [+] Ubuntu 16 support added
* [-] Fixed dist-upgrade issue on debian/ubuntu OSes

# 1.8 (15 September 2016)
* [*] Upgrade on Windows recreates virtualenv
* [-] Fixed issues after upgrade Plesk to Onyx

# 1.7 (26 August 2016)
* [-] ConnectionError on Windows 2012 (issue #103)
* [*] Update certificate with new API in Onyx
* [*] Use certbot packages instead of letsencrypt
* [+] Update subscriber agreement
* [+] Hide disabled webspaces from the domains list

# 1.6 (6 June 2016)
* [*] Switch from system python to plesk-py27 on all unix OSes (issues #59, #68, #70)

# 1.5 (4 March 2016)
* [+] Windows support (2012 and above, Plesk 12.5 MU#24 is required)
* [+] Translation added (ar, cs-CZ, da-DK, de-DE, el-GR, es-ES, fi-FI, fr-FR, he-IL, hu-HU, id-ID, it-IT, ja-JP, ko-KR, ms-MY, nb-NO, nl-NL, pl-PL, pt-BR, pt-PT, ro-RO, ru-RU, sv-SE, th-TH, tl-PH, tr-TR, uk-UA, vi-VN, zh-CN, zh-TW)
* [-] Always put .htaccess in the challenges folder (issues #63 and #82)

# 1.4 (19 February 2016)
* [-] Fixed certificates renew task broken in 1.3 (issue #77)

# 1.3 (15 February 2016)
* [+] Debian 6 is now supported
* [+] Extension now ignores unsupported domains:
  * Inactive (disabled/suspended) domains
  * Wildcard subdomains
  * Domains without web hosting
  * IDN domains
* [+] Users can now secure Plesk with www. prefix in hostname (issue #11)
* [+] Store CLI options for certificate renewal (issue #46)
* [+] Disable rewrite rules and satisfy authentication (with `.htaccess` file) in challenges directory (issues #13 and #16)
* [-] No more conflicts with alt-python-virtualenv on CloudLinux
* [-] Fixed PHP Warning: Invalid argument supplied for foreach
* [-] ExpatError in case Plesk port 8443 is customized (issue #30). Thanks to @MatrixCrawler
* [-] Disable HTTPS warnings: localhost is always trusted

# 1.2 (23 December 2015)
* [+] Ability to use the certificate for Plesk (issue #11)
* [+] CLI to use the certificate for Plesk: `--letsencrypt-plesk:plesk-secure-panel` (issue #11)
* [+] Add note about monthly certificate renewal
* [-] Fixed duplicate renew tasks if the original was changed

# 1.1 (14 December 2015)
* [+] Ability to include www.domain.tld as an alternative domain name (issue #4)
* [-] Save the previously used e-mail address (issue #17)

# 1.0 (4 December 2015)
* [*] Install binary dependencies from wheels (gcc is not required)
* [+] List of hosted domains and subdomains
* [+] Button under each domain on Websites&Domains
* [+] Submit e-mail and automatically install the certificate on the domain
* [+] Monthly task renews certificates issued by Let's Encrypt (according to the name of the certificate)
* [*] Retrieve info about hosted domains through Plesk API
* [+] Install certificates in Plesk
* [+] Treat www.domain.tld as an alias of domain.tld