Hi, I'm trying to set up a new domain with a Let's encrypt certificate - which did work fine the last time I did this, but now there seems to be a problem. The website is being set up correctly in ISPConfig, but the Let's encrypt certificate seems to not be issued. I switched the log to debug, but tbh, I don't understand a bit of what the logfile tells me. Here is, what it wrote into the logfile: Code: File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1629, in renew renewal.handle_renewal_request(config) File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 558, in handle_renewal_request raise errors.Error( certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) 2025-10-21 13:05:29,130:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s) 2025-10-21 13:08:08,446:DEBUG:certbot._internal.main:certbot version: 2.1.0 2025-10-21 13:08:08,446:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2025-10-21 13:08:08,446:DEBUG:certbot._internal.main:Arguments: ['-n', '--text', '--agree-tos', '--cert-name', 'subdomain.mydomain.de', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--webroot-map', '{"subdomain.mydomain.de":"\\/usr\\/local\\/ispconfig\\/interface\\/acme"}'] 2025-10-21 13:08:08,447:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2025-10-21 13:08:08,460:DEBUG:certbot._internal.log:Root logging level set at 30 2025-10-21 13:08:08,461:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2025-10-21 13:08:08,461:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: Authenticator, Plugin Entry point: webroot = certbot._internal.plugins.webroot:Authenticator Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f1738a05110> Prep: True 2025-10-21 13:08:08,462:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f1738a05110> and installer None 2025-10-21 13:08:08,462:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2025-10-21 13:08:09,397:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1572, in certonly le_client = _init_le_client(config, auth, installer) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 827, in _init_le_client acc, acme = _determine_account(config) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 725, in _determine_account potential_acc = display_ops.choose_account(accounts) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 86, in choose_account code, index = display_util.menu("Please choose an account", labels, force_interactive=True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 80, in menu return obj.get_display().menu(message, choices, default=default, cli_flag=cli_flag, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/display/obj.py", line 470, in menu raise self._interaction_fail(message, cli_flag, "Choices: " + repr(choices)) certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting: Please choose an account Choices: ['tempmail.server.eu@2024-08-12T11:00:03Z (df4d)', 'mail.server.eu@2019-10-08T15:25:09Z (2d51)', 'mail.server.eu@2024-08-12T15:27:58Z (a754)'] 2025-10-21 13:08:09,400:ERROR:certbot._internal.log:Missing command line flag or config entry for this setting: Please choose an account Choices: ['tempmail.server.eu@2024-08-12T11:00:03Z (df4d)', 'mail.server.eu@2019-10-08T15:25:09Z (2d51)', 'mail.server.eu@2024-08-12T15:27:58Z (a754)'] 2025-10-21 13:08:10,128:DEBUG:certbot._internal.main:certbot version: 2.1.0 2025-10-21 13:08:10,129:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2025-10-21 13:08:10,129:DEBUG:certbot._internal.main:Arguments: ['--domains', 'subdomain.mydomain.de'] 2025-10-21 13:08:10,129:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2025-10-21 13:08:10,141:DEBUG:certbot._internal.log:Root logging level set at 30 2025-10-21 13:08:10,222:DEBUG:certbot._internal.display.obj:Notifying user: Found the following matching certs: Any idea on how to fix this?
Please show common issues report: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ You showed debug log, but what was in /var/log/letsencrypt ? Maybe you have created more than one Let's Encrypt account?
ah - my fault. this was the output of /var/log/letsencrypt.... htf_report: Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 12 (bookworm) [INFO] uptime: 14:59:32 up 434 days, 21:45, 1 user, load average: 0,00, 0,13, 0,32 [INFO] memory: gesamt benutzt frei gemns. Puffer/Cache verfügbar Speicher: 31Gi 5,8Gi 6,4Gi 645Mi 20Gi 25Gi Swap: 974Mi 2,8Mi 972Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● certbot.service loaded failed failed Certbot LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.12p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.2.29 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.29 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### [WARN] I found no "smtps" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 923875) [INFO] I found the following mail server(s): Unknown process (smtpd) (PID 933635) [INFO] I found the following pop3 server(s): Dovecot (PID 2092633) [INFO] I found the following imap server(s): Dovecot (PID 2092633) [INFO] I found the following ftp server(s): PureFTP (PID 191818) ##### LISTENING PORTS ##### Server) () Local (Address) [localhost]:10023 (28871/postgrey) [localhost]:11333 (923478/rspamd:) [localhost]:11332 (923478/rspamd:) [localhost]:11334 (923478/rspamd:) [localhost]:11211 (144772/memcached) [anywhere]:4190 (2092633/dovecot) ***.***.***.***:53 (3455812/named) ***.***.***.***:53 (3455812/named) ***.***.***.***:53 (3455812/named) ***.***.***.***:53 (3455812/named) ***.***.***.***:53 (3455812/named) ***.***.***.***:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:53 (3455812/named) [localhost]:953 (3455812/named) [localhost]:953 (3455812/named) [localhost]:953 (3455812/named) [localhost]:953 (3455812/named) [localhost]:953 (3455812/named) [localhost]:953 (3455812/named) [anywhere]:993 (2092633/dovecot) [anywhere]:995 (2092633/dovecot) [anywhere]:587 (2092597/master) [anywhere]:465 (2092597/master) [anywhere]:143 (2092633/dovecot) [anywhere]:110 (2092633/dovecot) [anywhere]:25 (933635/smtpd) [anywhere]:21 (191818/pure-ftpd) [anywhere]:22 (3299486/sshd:) [localhost]:6379 (1145376/redis-serve) [anywhere]:3306 (2984123/mariadbd) *:*:*:*::*:11332 (923478/rspamd:) *:*:*:*::*:11333 (923478/rspamd:) *:*:*:*::*:11334 (923478/rspamd:) *:*:*:*::*:10023 (28871/postgrey) *:*:*:*::*:4190 (2092633/dovecot) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*3819:23ff:fe39:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:53 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:953 (3455812/named) *:*:*:*::*:8080 (923875/apache2) *:*:*:*::*:8081 (923875/apache2) *:*:*:*::*:993 (2092633/dovecot) *:*:*:*::*:995 (2092633/dovecot) *:*:*:*::*:587 (2092597/master) *:*:*:*::*:6379 (1145376/redis-serve) *:*:*:*::*:465 (2092597/master) *:*:*:*::*:443 (923875/apache2) [localhost]43 (2092633/dovecot) *:*:*:*::*:80 (923875/apache2) [localhost]10 (2092633/dovecot) *:*:*:*::*:25 (933635/smtpd) *:*:*:*::*:21 (191818/pure-ftpd) *:*:*:*::*:22 (3299486/sshd:) *:*:*:*::*:3306 (2984123/mariadbd) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-pure-ftpd 6 -- [anywhere]/0 [anywhere]/0 multiport dports 21 f2b-sshd 6 -- [anywhere]/0 [anywhere]/0 multiport dports 22 f2b-dovecot 6 -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993,587,465,4190 f2b-postfix-sasl 6 -- [anywhere]/0 [anywhere]/0 multiport dports 25 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-dovecot (1 references) target prot opt source destination REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-pure-ftpd (1 references) target prot opt source destination RETURN 0 -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT 0 -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN 0 -- [anywhere]/0 [anywhere]/0 ##### LET'S ENCRYPT ##### Certbot is installed in /usr/bin/letsencrypt ISPConfig Log output is: Code: 21.10.2025-15:24 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin 21.10.2025-15:24 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 21.10.2025-15:24 - DEBUG [server:184] - Found 1 changes, starting update process. 21.10.2025-15:24 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 21.10.2025-15:24 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client17/web10' - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client17/web10' - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client17/web10'|awk 'END{print $2,$NF}' - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web10' '0' '0' 0 0 -a &> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web10' 604800 604800 -a &> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client17/web10' - return code: 0 21.10.2025-15:24 - DEBUG [letsencrypt.inc:393] - Verified domain sub.domain.de should be reachable for letsencrypt. 21.10.2025-15:24 - DEBUG [letsencrypt.inc:156] - LE version is 2.1.0, so using certificates command and --cert-name instead of --expand 21.10.2025-15:24 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: sub.domain.de 21.10.2025-15:24 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains: 21.10.2025-15:24 - DEBUG [system.inc:1826] - exec: /usr/bin/certbot certonly -n --text --agree-tos --cert-name sub.domain.de --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"sub.domain.de":"\/usr\/local\/ispconfig\/interface\/acme"}' 21.10.2025-15:24 - DEBUG [letsencrypt.inc:473] - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21.10.2025-15:24 - DEBUG [letsencrypt.inc:473] - LE CERT OUTPUT: Found the following matching certs: 21.10.2025-15:24 - DEBUG [letsencrypt.inc:473] - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21.10.2025-15:24 - DEBUG [letsencrypt.inc:473] - LE CERT OUTPUT: 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 21.10.2025-15:24 - WARNING - Let's Encrypt SSL Cert for: sub.domain.de could not be issued. 21.10.2025-15:24 - WARNING - /usr/bin/certbot certificates --domains sub.domain.de 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/sub.domain.de.vhost 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 21.10.2025-15:24 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /etc/php/8.3/fpm/pool.d/web10.conf 21.10.2025-15:24 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'. 21.10.2025-15:24 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php8.3-fpm' 2>&1 - return code: 0 21.10.2025-15:24 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php8.3-fpm.service 21.10.2025-15:24 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running 21.10.2025-15:24 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'. 21.10.2025-15:24 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service 21.10.2025-15:24 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 21.10.2025-15:24 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service 21.10.2025-15:24 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0 21.10.2025-15:24 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running 21.10.2025-15:24 - DEBUG [modules.inc:240] - Processed datalog_id 599 21.10.2025-15:24 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
It seems as if you have two accounts in certbot and you can have only one as ISPConfig calls certbot without a specific account flag, which makes it fail when there is more than one account. You must remove one of the accounts, preferably the one without certificates or with the least number of certificates.
I went to /etc/letsencrypt/accounts and there is one directory: acme-v02.api.letsencrypt.org containing a directory named "directory" When list the content of this directory, there are 3 subdirectories: Code: drwx------ 2 root root 4096 8. Okt 2019 2d51e775617c94a5bc94ba94c931be22 drwx------ 2 root root 4096 12. Aug 2024 a75455ebc87ab479d4882c840f2c2c8f drwx------ 2 root root 4096 12. Aug 2024 df4db06927c51420b722f3b54cd61d42 and all three contain the same files with the same size: Code: drwx------ 2 root root 4096 8. Okt 2019 . drwx------ 5 root root 4096 8. Okt 2019 .. -rw-r--r-- 1 root root 79 8. Okt 2019 meta.json -r-------- 1 root root 3169 8. Okt 2019 private_key.json -rw-r--r-- 1 root root 78 8. Okt 2019 regr.json root@angua:/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory# l a75455ebc87ab479d4882c840f2c2c8f/ insgesamt 20 drwx------ 2 root root 4096 12. Aug 2024 . drwx------ 5 root root 4096 8. Okt 2019 .. -rw-r--r-- 1 root root 79 12. Aug 2024 meta.json -r-------- 1 root root 3169 12. Aug 2024 private_key.json -rw-r--r-- 1 root root 80 12. Aug 2024 regr.json root@angua:/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory# l df4db06927c51420b722f3b54cd61d42/ insgesamt 20 drwx------ 2 root root 4096 12. Aug 2024 . drwx------ 5 root root 4096 8. Okt 2019 .. -rw-r--r-- 1 root root 83 12. Aug 2024 meta.json -r-------- 1 root root 3169 12. Aug 2024 private_key.json -rw-r--r-- 1 root root 80 12. Aug 2024 regr.json
Never mind: I moved all but one of the directories in/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory away. Now it seems to work.
