DNS problems with letsencrypt

Hi all
I am helping a friend building his websites. I already have a couple of websites on my own webserver using ISPConfig3 with several domains and alias domains working well with letsencrypt.
After the installation of this server I have a problem now: Letsencrypt is not working. I can set up "SSL" but only with self signed certificates.
shop.bsp-engineering.de is pointing to the shop site (/var/www/clients/client0/web11) and bsp-engineering. de / www. bsp-engineering.de is pointing to the other one (/var/www/clients/client0/web10) (again: Works well)
If I check the "Let's Encrypt SSL" box the following things are happening:
1st: Checkbox vlaue is not persistent. After finishing the job queue its unchecked again
2nd: DNS ist not working anymore. bsp-engineering. de / www. bsp-engineering. de is pointing to the shop site now (/var/www/clients/client0/web11). Reproducable. Fixing is possible just when changing anythin else in the configuration like "Logfiles retention time". After that DNS is working again but still letsencrypt not.

I already deleted the websites and created them again. Same effect.
When I check the letsencrypt.log I can find DNS problems:
"detail": "Error finalizing order :: While processing CAA for www. bsp-engineering. de: DNS problem: query timed out looking up CAA for www. bsp-engineering. de",
I am not quite sure if this is a result of the problems with DNS I also have using the browser or if it is the other way round.

Before the error comes up in the logfile I can see the certbot tries to get a certificate:

2020-03-10 07:55:07,775EBUG:acme.client:Sending POST request to [...]:
{
"signature": "b
[...]
2020-03-10 07:55:07,943EBUG:urllib3.connectionpool:[...] "POST /acme/authz-v3/3255831730 HTTP/1.1" 200 731
2020-03-10 07:55:07,945EBUG:acme.client:Received response:
HTTP 200
Server: nginx
[...]
2020-03-10 07:55:07,945EBUG:acme.client:Storing nonce: 0101H63ddNYJZd2jXUZnUwgrgzIrO6rUtrHLi60dtMK3mH8
2020-03-10 07:55:07,947EBUG:certbot.client:CSR: CSR(file='/etc/letsencrypt/csr/0000_csr-certbot.pem', data=b'-----BEGIN CERTIFICATE REQUEST-----\nM
[...]
2020-03-10 07:55:07,982EBUG:acme.client:Sending POST request to [...]:
{
"signature": "KC
[...]
2020-03-10 07:55:38,257EBUG:urllib3.connectionpool: [...] "POST /acme/finalize/80133163/2603299243 HTTP/1.1" 403 1622
2020-03-10 07:55:38,259EBUG:acme.client:Received response:
HTTP 403
Server: nginx

Why is "nginx" used? I am using apache webservice. Is this part of the problem?
Perhaps it is helpful to know that the Domains are not located at the websites hoster. Domains are located at "domainfactory", servers at "hosteurope".
There are A-Records for
"bsp-engineering.de" and "*.bsp-engineering.de" at domainfactory.

Thanks for your help

Best regards
Christopher

 

I agree but as it works before setting the checkbox in my opinion the records are set up the right way.
Domainfactory screenshot of the DNS records:

I have only A-records (CAA is not available) but if the entries would not be ok, I guess the websites also would not be reachable via browser?!

 

All is green except the SOA serial which is surely caused by the current self signed certificate. Isn't it?

Edit: Added htf_report.txt

 

Hi till,
as on df.eu there is no option for CAA entry I moved the domain to the hosters side where the maschines are located. Even there CAA was not possible. But I compared it with my server (same hoster) where LE works perfect.
I set up all DNS entries I also had on my server.
Unfortunately it did not work again.
I checked the maschines further and found out that certs have been created in the letsencrypt folder:
/etc/letsencrypt/live/shop.bsp-engineering.de
/etc/letsencrypt/live/bsp-engineering.de/

I have chain.pem, fullchain.pem and privkey.pem
I found out that on my maschine I had symlinks in /var/www/...ssl/ to this folder. On my friends side not.
So as an experiment I created them. After that I tried to check the "le" checkbox in ISPConfig3 again and magic: It works now.
Any idea why?