Hello - first thank you guys so much for these forums and ispconfig and the support you provide. I am moving my ispconfig from an old server to a new server. Everything is great, and done I believe - except lets-encrypt seems to not work. I used the excellent ISP Migration toolkit (huge time saver!). The sites are working with the old certificates still, but I cannot re-enable the LetsEncrypt for any of the sites via the ispconfig web interface. I've tried searching for solutions, often can find them - but to be honest, messing with certbot is a bit scary - I feel like in the past I did and broke stuff! :-D Deb 13; latest newest ispconfig release ISPConfig Version: 3.3.1 From the great FAQ at https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ 1. Using Certbot (been using ISPConfig a long time on the old server, running Deb 8 - thus using certbot on Deb 13) 2. Version 4.0.0 of Certbot 3. Yep ISPConfig Version: 3.3.1 4. Not behind firewall - on linode VPS with no firewalls configured in linode 5. Disabled cloudflare proxy and also tried with other domains where the nameserver isn't cloudflare or proxied. 6. DNS A and www point directly to IP of server (ipv4) 7. Using * in the ip address field in the web admin of ispconfig for sites. 8. Apache 2.4 9. Didn't come from much older ispconfig, but did "reconfigure services". Also tried to update --force as well. 10. Not in Migration mode In trying to trouble shoot - perhaps with my far inferior ability I've maybe tracked it down to this in the /var/log/letsencrypt/letsencrypt.log Code: 2026-02-27 16:22:02,528:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==4.0.0', 'console_scripts', 'certbot')()) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1872, in main return config.func(config, plugins) ~~~~~~~~~~~^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1560, in certonly le_client = _init_le_client(config, auth, installer) File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 832, in _init_le_client acc, acme = _determine_account(config) ~~~~~~~~~~~~~~~~~~^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 730, in _determine_account potential_acc = display_ops.choose_account(accounts) File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 61, in choose_account code, index = display_util.menu("Please choose an account", labels, force_interactive=True) ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 80, in menu return obj.get_display().menu(message, choices, default=default, cli_flag=cli_flag, ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ force_interactive=force_interactive) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/certbot/_internal/display/obj.py", line 471, in menu raise self._interaction_fail(message, cli_flag, "Choices: " + repr(choices)) From ISP Config Debug log Code: 27.02.2026-21:22 - DEBUG [letsencrypt.inc:388] - Verified domain mydomain.com should be reachable for let's encrypt. 27.02.2026-21:22 - DEBUG [letsencrypt.inc:388] - Verified domain www.mydomain.com should be reachable for let's encrypt. 27.02.2026-21:22 - DEBUG [letsencrypt.inc:163] - LE version is 4.0.0, so using --elliptic-curve secp256r1 instead of --rsa-key-size 4096 27.02.2026-21:22 - DEBUG [letsencrypt.inc:176] - LE version is 4.0.0, so using --cert-name instead of --expand 27.02.2026-21:22 - DEBUG [letsencrypt.inc:484] - Create Let's Encrypt SSL Cert for mydomain.com (ECDSA) via certbot, domains to include: mydomain.com, www.mydomain.com 27.02.2026-21:22 - DEBUG [system.inc:1830] - exec: /usr/bin/certbot certonly -n --text --agree-tos --cert-name mydomain.com_ecc --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --elliptic-curve secp256r1 --email [email protected] --webroot-map '{"mydomain.com":"\/usr\/local\/ispconfig\/interface\/acme","www.mydomain.com":"\/usr\/local\/ispconfig\/interface\/acme"}' 27.02.2026-21:22 - WARNING - Let's Encrypt SSL Cert for mydomain.com via certbot could not be issued. Used command: /usr/bin/certbot certonly -n --text --agree-tos --cert-name mydomain.com_ecc --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --elliptic-curve secp256r1 --email [email protected] --webroot-map '{"mydomain.com":"\/usr\/local\/ispconfig\/interface\/acme","www.mydomain.com":"\/usr\/local\/ispconfig\/interface\/acme"}' Any help would be amazing! Thank you guys again for all you do and this great project.
The problem is that your server currently has two Let's Encrypt accounts: the one from the old server and a new one. ISPConfig can handle only one account, so you must delete one of the two accounts in certbot. My recommendation is to delete the new account and keep the one from the old server, as all existing LE certs from the old server are issued on that account. In the folder: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/ You have one cryptic looking directory on the old server and two on the new server. Keep the one that is also on the old server and move the one that exists on the new server only to a backup folder (just to be sure in case we need it in future). Then try to issue an LE cert again.
