ispconfig_update.sh --force Fials to Generate LE SSL Certificate - Done lots checking before posting

Let me first acknowledge I have tryed to do a lot of checking before posting as I am aware there are a lot of posting regarding this issue.
I myself have experience it before. and now once again. Last time the issue just disapeared the following day so I tried waiting but it is still failling.

I have read Till's posting on LE:

I have checked my DNS and Firewalls. In fact, it was working until I did an update to the server:

To trobleshoot the issue, I:
1) Cleared the acme.log
2) Cleared the Apache error.log
3) Run the ISPConfig test script
4) Monitor the acme-chalenge directory with inotifywait
5) Run ispconfig_update.sh --force

In that order and I have attached all the files to this tread. I just don't have enough knowledge to interpret them properly:

From the acme.log file, it seems the update script is creating the validation token and writting it to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge

The inotifywaite file seems to corrborate creating the LE challege file but then it gets deleted at some point, not sure why.

I placed a test file to the acme-challenge directory to make sure it can be read from the internet, and it can:

Don't know what else to do. As always any help is greatly appretiated.

 

When I go to https://srv1.onpointswr.com/ it does have a certificate, but it is for website jiraumd.com.
I do not use acme.sh for LE, so I do not know how it sets up the certificate, but there seems to be something wrong there.

 

Thanks for taking time to check...

The websites I host, like that of my son in law JirauMD,com, have certificates because they have not expired yet but if I try to setup a new website LE will not issue the certificate. Also, ISPConfig UI does not have the certificate: it failed to renovate.

 

Just a bit more of info from the Let's Encrypt Log:

Seems to me it validates the Domain fine, but then on "secodary validation", whatever that means, it fails to read the chanllenge file.

From looking at the results of inotifywait on the acme-chalenge directory, one can see the script deletes the challege file.
I wonder if the script is deleting the file before the "secondary validation" and therefore fails?
Its hard to tell when the delete occurs from just looking at the inotifywait output.

 

Try reading this: https://community.letsencrypt.org/t/renewal-failed-connection-refused-status-400/137384/2

 

Well ahrasis that link it sure helped. Indeed, I turned off Fail2Ban, ran the update script and sure enough the certificate was created so problem is solved.
Obviously somehow the IP used by LetsEncrypt was banned by Fail2Ban but it is impossible to identify the IP or prevent this from happening again as LetsEncrypt not only don't publish the IP's used for validation but it changes them routinely for security reasons.
I though I might be able to whitelist the FQDN for LetsEncrypt but when I checked their addresses against my ban ip list, I did not find them.
Maybe someone will figure out how to whitelist LetsEncript so renewals don't get banned on validation.

At anyrate, Kudos to ahrasis, your advice is allways on target.

 

Also try reading this: https://community.letsencrypt.org/t/certbot-renew-fails-with-connection-refused/146240/29

 

Thanks!