I have four almost identical ISPConfig servers running for many years. Suddenly one last week stopped renewing Letsencrypt certificates. It also stopped producing Letsencrypt log files on 23/08 so it looks like it's not failing to renew - it's just not running at all. I don't see any reference to it in crontab. Any suggestions on restarting/diagnosis? I haven't touched that server to cause any change.
Thank you for your speedy reply. I'm still stuck. This server has been running ISPConfig/Certbot for four years first under Bullseye and now upgraded to Bookworm. Everything is up to date as is ISPConfig. I do an 'apt update && apt fulll-upgrade -y' every week. I can't see how certbot is run daily in /etc/cron.daily and 'certbot' is not recognised as the root command prompt in either the working or non-working servers But the Letenscrypt log shows that certbot did run successfully on another server this morning on which the command ' certbot renew --cert-name domain1.com --dry-run' also produces certbot not found. Hence the confusion. This is an extract from that server's log: Code: 2025-08-29 03:00:18,704:DEBUG:certbot._internal.main:certbot version: 1.1.0 2025-08-29 03:00:18,705:DEBUG:certbot._internal.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2025-08-29 03:00:18,705:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPo> 2025-08-29 03:00:18,759:DEBUG:certbot._internal.log:Root logging level set at 20 2025-08-29 03:00:18,760:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2025-08-29 03:00:18,792:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli._Default object at 0x7fab5cbb4450> and installer <certbot._internal.cli._Default o> 2025-08-29 03:00:18,823:INFO:certbot._internal.renewal:Cert not yet due for renewal
I just did a 'apt install certbot python3-certbot-apache --dry-run' and it looks as though certbot has disappeared from all servers. From the problematical one last week after I did the apt update and on the working ones after this morning's apt update. Should I try re-installing it or is deprecation moving to removal?
ISPConfig supports certbot and acme.sh equally. The important thing is to not switch as you will lose all certs, so if your system were using certbot, then install certbot again.
It's getting complicated. When I re-install certbot it appears to use acme but with the certbot syntax and logging. When I try and force renewal of an expiring expiring website - it works (after a fashion) but doesn't include the site aliases. I could include them after the -d but I was wondering how ISPConfig uses certbot to automatically do this and put the certificates in the original /etc/letsencrypt/live/domain directory instead of creating /etc/letsencrypt/live/domain-0001 so the website doesn't pick them up. The real mystery is how certbot disappeared when the only action on the server was the weekly apt update last week. The servers I updated today are now reporting no certbot command. It ran last night on these. I'm guessing not tonight. Nothing in that apt logs to suggest anything was deleted. I understand if you feel this is a letsencrypt problem not ispconfig and take the issues there. But it would help if I understood how ispconfig used it. Maybe best to wait 24 hours to get more info.
Do not manually run certbot. If certificates or domains in certificates are missing for sites, disable the Let's Encrypt checkbox in the site, press Save, enable it again, and press Save.
Thank you that worked for sites <30 days. I guess I shall have to rinse and repeat as the other domains cross the threshold unrenwed. The real mystery is what caused the issue after 4 years when the only change on the server was the standard weekly apt update which caused certbot to go awol.
Another thought and a possible feature request is incorporating in ISPConfig's monitor page an alert for expiring domain certs. I do a weekly monitor because years ago a customers cert expired because an aliased domain expired and I hadn't removed it from site settings. So the first indication was when his site certificate failed. Very embarrassing.. Also I have a website of parked domains which is always in flux and so could easily fail for the same reason. It's a simple bit of code to check expirations and flag those that drop under 30 days.
ISPConfig is a free software but it is a very decent one so there is log for LE activities, if any admins mind and care enough to check on daily basis, even in ISPConfig GUI. Or they can write their own monitoring and automatic fixing scripts, to cover per website basis, if they wanted to, especially those who claimed it is simple / easy to do this and that. Also note that the correct ISPConfig server setup already is sending email to the registered account about any failed renewal after 60 days, which is within 30 days before any LE SSL certs expiry.
