I am new to Linux so pls dont grill me I have an Ubuntu 25.4 server wirh ISPConfig (perfect server installation). I host 30 Websites, and after fixing a lot of DNS-issues i got 28 to work. For two i dont get a Lets Encrypt certificate and i have a BIG issue with three sites in the same domain (2 subdomains). Maindomain is ww.kepos.at and it usually works fine. I have two other Websites lsb.kepos.at and mediation.kepos.at both are seperate websites with webs and different IPs. lsb.kepos.at worked fine (till today). ww.kepos.at worked fine (till today) but i never git mediation.kepos.at up and running with https. afaikt its totally the same setup as the others. AND the biggest problem is that when i am wokrin on the mediation.kepos.at I kill the ssl access for both other domains. Right in this momant i habe the kepos.at up and running fine (had some issues with alsiasdomains but excluded them in ISPConfig...now it seems ok). lsb.kepos.at worked fine till today the mark on the Lets Encrypt box vanished and SSL-Checker ist reporting a problem now. No idea how to get this thing up since i definitily changed nothing in this setup. mediation.kepos.at is testes ok at LetsEncrypt but i dont get an ssl-handshake in SSL-Checker. I had some fines in the ssl-directroy of the websites including two err files and in desperation i deleted all of them in the hope that they will be recreated..they are not. So firewall cant be an issue, since all others sites work, DNS cant be a issue sinde its just two different a-records in the same domain. It cant be a sevrer issue since all otehr sites work. Hoe can working on one site affect the others? I also resnced adn even made an update to the server without any changes. Last thing i tried was changing the ip adress of mediation.kepos.at to another ip. I also tried building a logfile like stated in the pinned comment but i got another error : PHP Warning: fopen(./htf_report.txt): Failed to open stream: Permission denied in /var/www/clients/client1/web1/ssl/htf-common-issues.php on line 34 PHP Fatal error: Uncaught TypeError: fclose(): Argument #1 ($stream) must be of type resource, false given in /var/www/clients/client1/web1/ssl/htf-common-issues.php:35 Stack trace: #0 /var/www/clients/client1/web1/ssl/htf-common-issues.php(35): fclose() #1 {main} thrown in /var/www/clients/client1/web1/ssl/htf-common-issues.php on line 35 So as i said i am new to the linux community as i turned my back on Microsoft, but i have to say in the most cases its not a warm welcome..hope its different her. Thanks in advance for your help. (i am also legastenic so sorry for the typos)
Please follow this article step by step: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ It's important that you follow each step, and at the end of the article, it describes what to post if you were not able to solve the issue yourself (the output you get from server.sh in debug mode). Your post doesn't include that server.sh output, so I can only guess you might not have read it to the end. Without that info, we can not help you. So please read it again and follow each step and post the required info in case the steps before did not solves your issue. Please do not manually delete files. First, ensure all sites use * in the IPv4 field or the IP. Do not mix it (see FAQ in read before posting). Also, if you access a site on an Apache or Nginx that has no ssl by using https, then another site must show up.
Thank you for your answer. I read the advice to delete those files in the web. For a newbie its not easy to know which advice to follw and which not. I just checked again. I have no more * in the IP. Had that (also for the domains mentioned) but changed that to specific IPs for every web. I tried to run the server.sh but got:" 06.04.2026-15:27 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin 06.04.2026-15:27 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.04.2026-15:27 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock" I also used crontab -e but in the file that opened (/var/www/mediation.kepos.at/ssl) no active lines are shown .
That's ok so far, there was no action in the queue to be processed or in other words, you did not request a new LE SSL cert. Please enable the Let's Encrypt checkbox in the website and then run server.sh again.
06.04.2026-15:47 - WARNING - There is already an instance of server.php running with pid 2579197. What i realized is that the time is incorrect. We have 17:47. but date shows the correct time
The time is not an issue. You probably have to comment out server.sh in root crontab, then, to avoid it running (once a minute) before you run it manually. Ensure to enable the Let's Encrypt checkbox again before you run it, as we want to debug the action to get an SSL cert.
Is that what we want? 06.04.2026-16:18 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin 06.04.2026-16:18 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.04.2026-16:18 - DEBUG [server:184] - Found 1 changes, starting update process. 06.04.2026-16:18 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.04.2026-16:18 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: chattr -i '/var/www/clients/client1/web5' - return code: 0 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: df -T '/var/www/clients/client1/web5'|awk 'END{print $2,$NF}' - return code: 0 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: setquota -u 'web5' '0' '0' 0 0 -a &> /dev/null - return code: 0 setquota: Not setting block grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded. setquota: Not setting inode grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded. 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: setquota -T -u 'web5' 604800 604800 -a &> /dev/null - return code: 0 06.04.2026-16:18 - DEBUG [system.inc:2551] - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0 06.04.2026-16:19 - WARNING - Could not verify domain mediation.kepos.at, so excluding it from let's encrypt request. 06.04.2026-16:19 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:19 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:19 - DEBUG [apache2 plugin.inc:1907] - Writing the vhost file: /etc/apache2/sites-available/mediation.kepos.at.vhost 06.04.2026-16:19 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:19 - DEBUG [apache2 plugin.inc:3491] - Writing the PHP-FPM config file: /etc/php/8.4/fpm/pool.d/web5.conf 06.04.2026-16:19 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'. 06.04.2026-16:19 - DEBUG [system.inc:2116] - Trying to use Systemd to restart service 06.04.2026-16:19 - DEBUG [system.inc:2551] - safe_exec cmd: systemctl is-enabled 'php8.4-fpm' 2>&1 - return code: 0 06.04.2026-16:19 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php8.4-fpm.service 06.04.2026-16:19 - DEBUG [apache2 plugin.inc:2029] - Apache status is: running 06.04.2026-16:19 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'. 06.04.2026-16:19 - DEBUG [system.inc:2116] - Trying to use Systemd to restart service 06.04.2026-16:19 - DEBUG [system.inc:2551] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 06.04.2026-16:19 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service 06.04.2026-16:19 - DEBUG [apache2 plugin.inc:2032] - Apache restart return value is: 0 06.04.2026-16:19 - DEBUG [apache2 plugin.inc:2043] - Apache online status after restart is: running 06.04.2026-16:19 - DEBUG [modules.inc:240] - Processed datalog_id 5606 06.04.2026-16:19 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. I assume that the problem lies here: 06.04.2026-16:19 - WARNING - Could not verify domain mediation.kepos.at, so excluding it from let's encrypt request. ..but why?
and for the lsb.kepos.at its: 06.04.2026-16:20 - DEBUG [z php fpm incron reload plugin.inc:31] - You must install incron in order to use this plugin 06.04.2026-16:20 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.04.2026-16:20 - DEBUG [server:184] - Found 1 changes, starting update process. 06.04.2026-16:20 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.04.2026-16:20 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: chattr -i '/var/www/clients/client1/web4' - return code: 0 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: chattr +i '/var/www/clients/client1/web4' - return code: 0 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: df -T '/var/www/clients/client1/web4'|awk 'END{print $2,$NF}' - return code: 0 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: setquota -u 'web4' '0' '0' 0 0 -a &> /dev/null - return code: 0 setquota: Not setting block grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded. setquota: Not setting inode grace time on /dev/mapper/ubuntu--vg-ubuntu--lv because softlimit is not exceeded. 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: setquota -T -u 'web4' 604800 604800 -a &> /dev/null - return code: 0 06.04.2026-16:20 - DEBUG [system.inc:2551] - safe_exec cmd: chattr +i '/var/www/clients/client1/web4' - return code: 0 06.04.2026-16:21 - WARNING - Could not verify domain lsb.kepos.at, so excluding it from let's encrypt request. 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: openssl x509 -noout -ocsp_uri -in '/var/www/clients/client1/web4/ssl/lsb.kepos.at-le.crt' - return code: 0 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:1846] - Enable SSL for: lsb.kepos.at 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:1907] - Writing the vhost file: /etc/apache2/sites-available/lsb.kepos.at.vhost 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:3491] - Writing the PHP-FPM config file: /etc/php/8.4/fpm/pool.d/web4.conf 06.04.2026-16:21 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'. 06.04.2026-16:21 - DEBUG [system.inc:2116] - Trying to use Systemd to restart service 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: systemctl is-enabled 'php8.4-fpm' 2>&1 - return code: 0 06.04.2026-16:21 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php8.4-fpm.service 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:2029] - Apache status is: running 06.04.2026-16:21 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'. 06.04.2026-16:21 - DEBUG [system.inc:2116] - Trying to use Systemd to restart service 06.04.2026-16:21 - DEBUG [system.inc:2551] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 06.04.2026-16:21 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:2032] - Apache restart return value is: 0 06.04.2026-16:21 - DEBUG [apache2 plugin.inc:2043] - Apache online status after restart is: running 06.04.2026-16:21 - DEBUG [modules.inc:240] - Processed datalog_id 5607 06.04.2026-16:21 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. so this works..but the box "letsEncrypt" is not checked.
Either the A-Record of that subdomain does not point to the IP address of your server. or your server itself is not able to reach it, which means you must disable the Let's Encrypt check then (see Let's Encrypt error FAQ, its one of the points in the list)..
The IP is 85.124.207.149 and an A record on both DNS. Its resolved ok afaikt. It works fine with http just not https (since no certificate). Till yesterday the lsb.kepos.at site (esakt copy of the mediation.kepos.at config) was working fine...today as stated above i get a certificate and its working but the LetsEncrypt checkbox is no longer checked. As i said 28 Websites doing great (after some tuning) ..just the *.kepos.at are doing strange things...I checked DNS several times, Browsers can finde the sites on Port 80, and all other sites are reachable via 443..so no FW problem in my opinion. BVUT I just checked that i can Ping www.kepos.at from the server itself but not mediation.kepos.at. In the moment ..no idea why. I am investigating (using Google NS 8.8.8.8)
As I said, you can disable the Let's Encrypt check as mentioned in the error FAQ document and try again; it might help in your current case. But normally, domains should be reachable from your system, and the reason why you don't get a cert at the moment is simply that it's unreachable from your server, and ISPConfig makes the same test that Let's Encrypt will perform. It tries to create a certain file on the domain, and if this fails because it's unreachable, it skips the LE cert process to avoid getting banned from LE for too many LE request failures.
Problem solved. You were right. The reason was a missing firewallrule that prevented the server from accessing the "own" websites. (Webserver was not able to access the external IPs) . So the "internal" check failed, which prevented the server from getting a certificate. Thanks a lot for you help!! I was a bit frightend to ask here since..people with litte experiance like me were sometimes not treated very nicely. You are software is great and you are superfast and competent and you helped me to solve the problem perfectly. Please be a bit nicer to (other) newbs Btw it would really be great to be able to see the IP-adresses website uses in the overview..
I'm happy to help, and always nice when asked nicely I don't recommend use IP addresses at all, just use * in all sites and you are good to go.
