SSL & LetsEncrypt SSL failing [SOLVED]

Morning

I'm hoping someone can help as I am encountering an SSL error again... I have a production server which has been running with a few websites for a while and all seems OK.

However, I need to move about 7 websites from a VPS as it expires next February. So, I moved the first site (which is not a critical one, so the downtime has been OK)... the site is installed and DNS configured. When I tick SSL & Lets Encrypt SSL checkboxes the server updates, but once refreshed the tickboxes are un-ticked again If I try to visit the website it serves the wrong domain with an HTTPS warning.

So, I tried just ticking the SSL box and not the LetsEncrypt one and this sticks OK, but when I try to visit the website, I get:

Code:

mywebsite.com doesn’t support a secure connection with HTTPS

but if I go through the "ignore errors" prompts it does display the website, but with the HTTPS struck out in the address bar and a "Not Secure" warning.

I have had similar problems before, so have gone through my posts from years ago to try and resolve this, but still cant remedy this.

I have checked that;

1. acme.sh is installed (errors in log, so must be installed!)
2. Am running latest version of ISPConfig
3. NAT is correct as most sites hosted serve SSL ok
4. Not using CloudFlare
5. DNS is correct
6. IPV-4 Address is set to * for all websites hosted
7. Am not migrating websites, so not using migrate tool​

I followed instructions about DEBUG... attached is server log from ISPConfig dashboard.

In crontab -e I commented out:

Code:

# * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

Then ran:

Code:

/usr/local/ispconfig/server/server.sh

Output:

Code:

admin@server2:~$ /usr/local/ispconfig/server/server.sh
-bash: /usr/local/ispconfig/server/server.sh: Permission denied
admin@server2:~$ sudo /usr/local/ispconfig/server/server.sh
15.07.2025-09:34 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin
15.07.2025-09:34 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
15.07.2025-09:34 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished server.php.

Beyond this, I have tried;

Code:

sudo ispconfig_update.sh --force

I selected;

Code:

Reconfigure Permissions = no
Reconfigure Services = yes
Create new ISPConfig SSL certificate = yes
Symlink ISPConfig SSL certs to Postfix = y
Symlink ISPConfig SSL certs to Pure-FTPd = y
Reconfigure Crontab = yes

When I visit my ISPConfig portal at... https://server.mywebsite.com:8080 it shows https with no errors, or warnings. So, I believe SSL is working on the server.

I checked /var/log/ispconfig/acme.log and have attached the lines which seem relevant (I have changed my domain name to mywebsite.com)

Obviously I don't want to start moving all the websites until I know I can enable SSL seamlessly... so, if anyone can help I would be very grateful.

Thanks

SliMat

 

Code:

admin@server2:~$ sudo /usr/local/ispconfig/server/server.sh
setquota: Not setting block grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded.
setquota: Not setting inode grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded.
[Tue Jul 15 11:08:49 AM BST 2025] mywebsite.com: Invalid status. Verification error details: 2620:78:200f::cf:12: Invalid response from http://mywebsite.com/.well-known/acme-challenge/GBl_gNW2lNlwyxYn8mqy0lzehimC9Bl7tHfXVjR7as0: 522
[Tue Jul 15 11:08:49 AM BST 2025] Please check log file for more details: /var/log/ispconfig/acme.log
15.07.2025-10:08 - WARNING - Let's Encrypt SSL Cert for mywebsite.com via acme.sh could not be issued. Used command: R=0 ; C=0 ; /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --issue  -d 'mywebsite.com' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key  --ecc --keylength ec-256 ; R=$? ; if [ $R -eq 0 ] || [ $R -eq 2 ]; then : ;   /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --install-cert  -d 'mywebsite.com' --ecc --key-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.key' --fullchain-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' ;   C=$? ; fi ; if [ $C -eq 0 ] ;   then exit $R ;   else exit $C ; fi
finished server.php.

 

I interpret the logs as saying that there is a permissions error (dont know if thats correct or not), but do see in /var/www/clients/client1/web3/ssl two files which are time stamped February this year...

Code:

mywebsite.com-le.crt

&

Code:

mywebsite.com-le.key

So, I did wonder about deleting these and trying to tick the LetsEncrypt SSL box in ISPConfig again to see if it will re-create these?

Not sure if this is a good thing to do, or not?

 

No, the site is just a WordPress site - I created a blank new site in the usual way in ISPConfig, then restored my WordPress site using Duplicator... no proxy configuration and not using CloudFlare... the DNS points straight to the router and then all the ISPConfig ports on the router are pointed to the webserver using NAT. I have 3 or 4 other sites on this server all working with SSL correctly... so am 100% sure its not proxy/NAT related.

I will re-enable debug & run logging report again and post back shortly.

 

Code:

admin@server2:~$ sudo /usr/local/ispconfig/server/server.sh
15.07.2025-12:42 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin
15.07.2025-12:42 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
15.07.2025-12:42 - DEBUG [server:184] - Found 1 changes, starting update process.
15.07.2025-12:42 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
15.07.2025-12:42 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: chattr -i '/var/www/clients/client1/web3' - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: chattr +i '/var/www/clients/client1/web3' - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: df -T '/var/www/clients/client1/web3'|awk 'END{print $2,$NF}' - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: setquota -u 'web3' '0' '0' 0 0 -a &> /dev/null - return code: 0
setquota: Not setting block grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded.
setquota: Not setting inode grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded.
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: setquota -T -u 'web3' 604800 604800 -a &> /dev/null - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: chattr +i '/var/www/clients/client1/web3' - return code: 0
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
15.07.2025-12:42 - DEBUG [letsencrypt.inc:74] - acme.sh version is 3.1.2, so using --keylength ec-256 instead of --keylength 4096
15.07.2025-12:42 - DEBUG [system.inc:2104] - Trying to use Systemd to restart service
15.07.2025-12:42 - DEBUG [system.inc:2539] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
15.07.2025-12:42 - DEBUG [letsencrypt.inc:468] - Create Let's Encrypt SSL Cert for mywebsite.com (ECDSA) via acme.sh, domains to include: mywebsite.com
15.07.2025-12:42 - DEBUG [system.inc:1830] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --issue  -d 'mywebsite.com' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key  --ecc --keylength ec-256 ; R=$? ; if [ $R -eq 0 ] || [ $R -eq 2 ]; then : ;   /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --install-cert  -d 'mywebsite.com' --ecc --key-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.key' --fullchain-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' ;   C=$? ; fi ; if [ $C -eq 0 ] ;   then exit $R ;   else exit $C ; fi
[Tue Jul 15 01:43:19 PM BST 2025] mywebsite.com: Invalid status. Verification error details: 2620:78:200f::cf:12: Invalid response from http://mywebsite.com/.well-known/acme-challenge/sDI2XL6GO401Frn1mnlNip4kONU1uawtuk-Gcbli7Z8: 522
[Tue Jul 15 01:43:19 PM BST 2025] Please check log file for more details: /var/log/ispconfig/acme.log
15.07.2025-12:43 - WARNING - Let's Encrypt SSL Cert for mywebsite.com via acme.sh could not be issued. Used command: R=0 ; C=0 ; /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --issue  -d 'mywebsite.com' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key  --ecc --keylength ec-256 ; R=$? ; if [ $R -eq 0 ] || [ $R -eq 2 ]; then : ;   /root/.acme.sh/acme.sh --log '/var/log/ispconfig/acme.log' --install-cert  -d 'mywebsite.com' --ecc --key-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.key' --fullchain-file '/var/www/clients/client1/web3/ssl/mywebsite.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' ;   C=$? ; fi ; if [ $C -eq 0 ] ;   then exit $R ;   else exit $C ; fi
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web3/.php-fcgi-starter' - return code: 0
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:1603] - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web3/.php-fcgi-starter
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web3/.php-fcgi-starter' - return code: 0
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:1832] - Enable SSL for: mywebsite.com
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:1893] - Writing the vhost file: /etc/apache2/sites-available/mywebsite.com.vhost
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:2011] - Apache status is: running
15.07.2025-12:43 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
15.07.2025-12:43 - DEBUG [system.inc:2104] - Trying to use Systemd to restart service
15.07.2025-12:43 - DEBUG [system.inc:2539] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
15.07.2025-12:43 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:2014] - Apache restart return value is: 0
15.07.2025-12:43 - DEBUG [apache2 plugin.inc:2025] - Apache online status after restart is: running
15.07.2025-12:43 - DEBUG [modules.inc:240] - Processed datalog_id 134
15.07.2025-12:43 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished server.php.

[EDITED] - had forgotten to comment out in crontab... so have updated the output above!

 

Thanks @till

I double checked all the DNS settings again, and they were all correct - but I did spot a couple of IPV6 entries which were still in the DNS entries from a host I was using and had never removed - when I removed them it worked correctly... not sure if/why these unused entries would stop LetsEncrypt finding the server.
But it seems to be working - thank you for your help (again).

 

Thanks - I just learnt something new... I completely missed the AAAA records were still there until you confirmed that LE couldn't see the server... because I could force the web browser there using http I was convinced the DNS was all fine. And its nice to know the cause