Let's Encrypt
Automatically obtain and renew trusted TLS certificates from Let's Encrypt using the DNS-01 challenge. This method works behind NAT and firewalls because it proves domain ownership via a temporary DNS TXT record instead of requiring inbound HTTP access. Certificates renew automatically every 60 days.
Inputs
| Name | Description | Allowed Values | Default |
|---|---|---|---|
| Email Address | Contact email for Let's Encrypt expiration notices and account recovery | Valid email address | — |
| Domain | The domain name to obtain a certificate for | FQDN (e.g., scan.example.com) | — |
| DNS Provider | Your DNS hosting provider for automated TXT record creation | One of the supported providers (Cloudflare, Route 53, etc.) | First provider in list |
| Provider Credentials | API token or key fields specific to the selected DNS provider | Provider-specific; see field help text | — |
| Use Staging | Request certificates from the staging server for testing | Checkbox (true/false) | Unchecked (production) |
Fields & Columns
| Name | Description |
|---|---|
| Domain | The domain the current ACME certificate was issued for |
| Provider | The DNS provider used for the DNS-01 challenge |
| Expires | Certificate expiration date |
| Last renewed | Timestamp of the most recent successful certificate renewal |
| Next check | When the system will next check if renewal is needed |
| Staging mode | Indicates the certificate was issued by the staging CA (not browser-trusted) |
How To
Configure Let's Encrypt for the first time
- Enter the email address for Let's Encrypt notifications.
- Enter the domain name that resolves to your mipo instance.
- Select your DNS provider from the dropdown.
- Fill in the provider-specific credential fields (API token, zone ID, etc.).
- Optionally enable staging mode to test without hitting rate limits.
- Click "Test Credentials" to verify DNS provider access.
- Click "Configure Let's Encrypt" to start the certificate request.
- Wait 1-2 minutes for DNS propagation and certificate issuance.
Gotchas
- Staging certificates are not trusted by browsers — disable staging mode for production use.
- Let's Encrypt has rate limits: 5 duplicate certificates per week in production. Test with staging first.
- DNS propagation can take up to 2 minutes; the status section polls automatically while in progress.
- Credential fields reset when you switch DNS providers — copy values before switching if needed.
API Calls (3)
| Method | Path | Description |
|---|---|---|
| POST | /api/admin/ssl/letsencrypt | Start ACME certificate request with DNS provider configuration |
| POST | /api/admin/ssl/test-credentials | Test DNS provider credentials without requesting a certificate |
| GET | /api/admin/ssl/acme-status | Poll current ACME certificate status and renewal information |
Related Pages
- TLS Status — Shows the active certificate after Let's Encrypt issues it
- Custom Certificate — Alternative to Let's Encrypt when you manage certificates externally