Since certbot in Ubuntu 16.04 is upgraded to version 22, it is now ready to use Acme v2. I believe ISPConfig developers are already working on this but everybody have to be patient since it may not be out in the near future. As I am currently using CloudFlare as my dns server, I would like to share some tips/tricks that I recently did on my ubuntu nginx webserver in order to issue a Let's Encrypt wildcard SSL certs for one of my domains. Firstly, other than installing the default certbot via "apt -y install python-certbot-nginx", I have to install cloudflare plugin for it too. This I did by running "apt -y install python3-certbot-dns-cloudflare python3-cloudflare". This plugin is essential for this tip/trick. Secondly, create a hidden folder accessible only by root user and file for the required credentials to be filled in. Code: mkdir /etc/letsencrypt/.secrets chown root:root /etc/letsencrypt/.secrets chmod 600 /etc/letsencrypt/.secrets # Create the credential file nano /etc/letsencrypt/.secrets/domain.tld.ini Thirdly, add the required credential inside the file. You obtained this from CloudFlare control panel for your domain. Code: # CloudFlare API key information dns_cloudflare_api_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx dns_cloudflare_email = [email protected] And lastly, run certbot using the cloudflare plugin for the wanted domain(s) using dns validation to issue your domain certs, including for its wildcard subdomain, if you want. Code: certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials ~/etc/letsencrypt/.secrets/domain.tld.ini \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --dns-cloudflare-propagation-seconds 60 \ --rsa-key-size 4096 \ --renew-hook letsencrypt_renew_hook.sh \ -d domain.tld \ -d *.domain.tld This new certs will be defaulted to the same usual Let's Encrypt folder which you can manually use with ISPConfig. Its renewal file should look like this: Code: # renew_before_expiry = 30 days version = 0.22.0 archive_dir = /etc/letsencrypt/archive/domain.tld cert = /etc/letsencrypt/live/domain.tld/cert.pem privkey = /etc/letsencrypt/live/domain.tld/privkey.pem chain = /etc/letsencrypt/live/domain.tld/chain.pem fullchain = /etc/letsencrypt/live/domain.tld/fullchain.pem # Options used in the renewal process [renewalparams] account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx server = https://acme-v02.api.letsencrypt.org/directory authenticator = dns-cloudflare installer = None dns_cloudflare_credentials = /etc/letsencrypt/domain.tld.ini I think renewing via certbot renew should cover renewing this as well after the lapse of 60 days and before 90 days but I cannot confirm its renewal will work since mine is not subject to any renewal yet. So, please be attentive to friendly-reminding-email from Let's Encrypt just in case its renewal somehow failed after 60 days as you may need to do it manually.