So I've had to reinstall ISPConfig three times now on my VM, but each time having the same exact issue with Let's Encrypt SSL not verifying my domain. At first I followed this perfect server guide (howtoforge. com/ispconfig-autoinstall-debian-ubuntu) twice (I did --use-nginx on second install), and most recently I did manual config according to this guide (howtoforge. com/tutorial/perfect-server-ubuntu-20.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig). I have read the LE FAQ several times, read through numerous forum posts, and even purchased the 3.1 manual, but nothing had fixed my SSL issues. Just now I tried enabling "Skip Letsencrypt check" in System > Server Config > [hostname] > Web, and then enabled "Let's Encrypt SSL" for my site, and it is working without errors. My questions is why did this work and why wasn't LE working before? Also, what is this "Letsencrypt check" and is it less secure to skip it like this? For the first two installations I'm pretty sure my /etc/hosts contained "127.0.1.1 srv1 .myhostname. com srv1", which never felt right to me. I saw this same IP 127.0.1.1 appear when trying to update ISPConfig, saying "Server's public ip(s) (***.***.***.***) not found in A/AAAA records for srv1 .myhostname. com: 127.0.1.1"... see full logs at very bottom. On my third installation, I changed it to 192.167.77.100, the local IP of the server in my network. This didn't seem to fix anything either, so I manually changed it to the server's public IP, and below is the current config of /etc/hosts, excluding IPv6 stuff: Code: 127.0.0.1 localhost # 192.167.77.100 srv1 .myhostname. com srv1 ***.***.***.*** srv1 .myhostname. com srv1 Could this be making a difference? Should I reinstall while using the public IP in /etc/hosts? I read through the thread titled "Let's Encrypt SSL certificate not installing inside ISPConfig during installation - DNS server issue" but wasn't sure what was "correct". FYI I had created an A record on EPIK for srv1 .myhostname. com pointing to ***.***.***.***, my server's public IP... I also created an A record on EPIK for jettburns. com, www .jettburns. com, and *.jettburns. com pointing to ***.***.***.***, the same public IP. Would appreciate any help and insight! Spam filter said I couldn't use links in my post, so I put spaces between the periods... System info: Code: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal # php -v PHP 7.4.3 (cli) (built: Jul 5 2021 15:13:35) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies # apachectl -v Server version: Apache/2.4.41 (Ubuntu) Server built: 2021-06-17T18:27:53 # certbot --version certbot 0.40.0 LE log in /var/log/letsencrypt/letsencrypt.log before I "skipped LE check": Code: 2021-07-14 03:00:25,190:DEBUG:certbot.main:certbot version: 0.40.0 2021-07-14 03:00:25,191:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2021-07-14 03:00:25,191:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2021-07-14 03:00:25,203:DEBUG:certbot.log:Root logging level set at 20 2021-07-14 03:00:25,203:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-07-14 03:00:25,206:DEBUG:certbot.renewal:no renewal failures Debug log when LE SSL used to fail: Code: # /usr/local/ispconfig/server/server.sh 14.07.2021-15:25 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 14.07.2021-15:25 - DEBUG - Found 1 changes, starting update process. 14.07.2021-15:25 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 14.07.2021-15:25 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:25 - WARNING - Could not verify domain jettburns.com, so excluding it from letsencrypt request. 14.07.2021-15:25 - WARNING - Could not verify domain www.jettburns.com, so excluding it from letsencrypt request. 14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:25 - WARNING - Let's Encrypt SSL Cert for: jettburns.com could not be issued. 14.07.2021-15:25 - WARNING - 14.07.2021-15:25 - DEBUG - NON-String given in escape function! (boolean) 14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0 14.07.2021-15:25 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter 14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0 14.07.2021-15:25 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/jettburns.com.vhost 14.07.2021-15:25 - DEBUG - Apache status is: running 14.07.2021-15:25 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 14.07.2021-15:25 - DEBUG - Restarting httpd: systemctl restart apache2.service 14.07.2021-15:25 - DEBUG - Apache restart return value is: 0 14.07.2021-15:25 - DEBUG - Apache online status after restart is: running 14.07.2021-15:25 - DEBUG - Processed datalog_id 47 14.07.2021-15:25 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. Debug log when LE SSL worked, after "skipping LE check": Code: # /usr/local/ispconfig/server/server.sh 14.07.2021-15:32 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 14.07.2021-15:32 - DEBUG - Found 1 changes, starting update process. 14.07.2021-15:32 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 14.07.2021-15:32 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0 14.07.2021-15:32 - DEBUG - LE version is 0.40.0, so using certificates command and --cert-name instead of --expand 14.07.2021-15:32 - DEBUG - Create Let's Encrypt SSL Cert for: jettburns.com 14.07.2021-15:32 - DEBUG - Let's Encrypt SSL Cert domains: 14.07.2021-15:32 - DEBUG - exec: /bin/certbot certonly -n --text --agree-tos --cert-name jettburns.com --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"jettburns.com":"\/usr\/local\/ispconfig\/interface\/acme","www.jettburns.com":"\/usr\/local\/ispconfig\/interface\/acme"}' Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for jettburns.com http-01 challenge for www.jettburns.com Waiting for verification... Cleaning up challenges 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Found the following matching certs: 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Certificate Name: jettburns.com 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Domains: jettburns.com www.jettburns.com 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Expiry Date: 2021-10-12 14:32:21+00:00 (VALID: 89 days) 14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Certificate Path: /etc/letsencrypt/live/jettburns.com/fullchain.pem 14.07.2021-15:32 - DEBUG - Found LE path: /etc/letsencrypt/live/jettburns.com/fullchain.pem 14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/jettburns.com/fullchain.pem exists. 14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/privkey.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.key' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/fullchain.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.crt' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/chain.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.bundle' - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0 14.07.2021-15:32 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter 14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0 14.07.2021-15:32 - DEBUG - Enable SSL for: jettburns.com 14.07.2021-15:32 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/jettburns.com.vhost 14.07.2021-15:32 - DEBUG - Apache status is: running 14.07.2021-15:32 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 14.07.2021-15:32 - DEBUG - Restarting httpd: systemctl restart apache2.service 14.07.2021-15:32 - DEBUG - Apache restart return value is: 0 14.07.2021-15:32 - DEBUG - Apache online status after restart is: running 14.07.2021-15:32 - DEBUG - Processed datalog_id 56 14.07.2021-15:32 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. Here's the output of the "test script": Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 20.04.2 LTS [INFO] uptime: 14:50:20 up 14:22, 1 user, load average: 0.01, 0.02, 0.00 [INFO] memory: total used free shared buff/cache available Mem: 30Gi 2.1Gi 26Gi 7.0Mi 2.4Gi 28Gi Swap: 8.0Gi 0B 8.0Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.5 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.3 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.3 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### [WARN] I found no "submission" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 253514) [INFO] I found the following mail server(s): Postfix (PID 122600) [INFO] I found the following pop3 server(s): Dovecot (PID 122655) [INFO] I found the following imap server(s): Dovecot (PID 122655) [INFO] I found the following ftp server(s): PureFTP (PID 122714) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:22 (996/sshd:) [localhost]:953 (122730/named) [anywhere]:25 (122600/master) [anywhere]:993 (122655/dovecot) [anywhere]:995 (122655/dovecot) [localhost]:10023 (31044/postgrey) [localhost]:10024 (122636/amavisd-new) [localhost]:10025 (122600/master) [localhost]:10026 (122636/amavisd-new) [localhost]:10027 (122600/master) [localhost]:11211 (102818/memcached) [anywhere]:110 (122655/dovecot) [anywhere]:143 (122655/dovecot) [anywhere]:465 (122600/master) ***.***.***.***:53 (122730/named) [localhost]:53 (122730/named) [anywhere]:21 (122714/pure-ftpd) ***.***.***.***:53 (921/systemd-resolve) *:*:*:*::*:22 (996/sshd:) *:*:*:*::*:25 (122600/master) *:*:*:*::*:953 (122730/named) *:*:*:*::*:443 (253514/apache2) *:*:*:*::*:993 (122655/dovecot) *:*:*:*::*:995 (122655/dovecot) *:*:*:*::*:10024 (122636/amavisd-new) *:*:*:*::*:10026 (122636/amavisd-new) *:*:*:*::*:3306 (121927/mysqld) [localhost]10 (122655/dovecot) [localhost]43 (122655/dovecot) *:*:*:*::*:8080 (253514/apache2) *:*:*:*::*:80 (253514/apache2) *:*:*:*::*:8081 (253514/apache2) *:*:*:*::*:465 (122600/master) *:*:*:*::*5085:dfff:fed7:53 (122730/named) *:*:*:*::*:53 (122730/named) *:*:*:*::*:21 (122714/pure-ftpd) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ##### LET'S ENCRYPT ##### Certbot is installed in /usr/bin/letsencrypt On my second installation (I had done --use-nginx during install), I tried updating ISPConfig to fix the SSL: Code: $ sudo ispconfig_update.sh --force -------------------------------------------------------------------------------- _____ ___________ _____ __ _ |_ _/ ___| ___ \ / __ \ / _(_) | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | __/ | |___/ -------------------------------------------------------------------------------- >> Update Please choose the update method. For production systems select 'stable'. WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites! Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated. Select update method (stable,nightly,git-develop) [stable]: stable Downloading ISPConfig update. Unpacking ISPConfig update. -------------------------------------------------------------------------------- _____ ___________ _____ __ _ ____ |_ _/ ___| ___ \ / __ \ / _(_) /__ \ | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ / | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \ \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/ __/ | |___/ -------------------------------------------------------------------------------- >> Update Operating System: Ubuntu 20.04.2 LTS (Focal Fossa) This application will update ISPConfig 3 on your server. Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no Checking ISPConfig database .. OK Starting incremental database update. Loading SQL patch file: /tmp/update_runner.sh.McNvM0py2g/install/sql/incremental/upd_dev_collection.sql Reconfigure Permissions in master database? (yes,no) [no]: yes Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: no Service 'db_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: no Reconfigure Services? (yes,no,selected) [yes]: yes Configuring Postfix Configuring Dovecot Configuring Mailman Configuring Spamassassin Configuring Rspamd Configuring Getmail Configuring Pureftpd Configuring nginx Configuring Apps vhost Configuring Jailkit Configuring Ubuntu Firewall Configuring Database Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for srv1.myhostname.com Using certificate path /etc/letsencrypt/live/srv1.myhostname.com Server's public ip(s) (***.***.***.***) not found in A/AAAA records for srv1.myhostname.com: 127.0.1.1 Ignore DNS check and continue to request certificate? (y,n) [n]: y Using nginx for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/srv1.myhostname.com Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Update finished.
When your server is behind a router and this router is configured to block access to the domain name that you try to verify LE SSL for from inside of the network, then skip letsencrypt check must be enabled to avoid this step. The first verification step is that ispconfig tests if it can reach the server under the domain that shall be verified or in other words if the domain points to this server. It is not less secure to disable it, but you will have to be careful without that check that really all domains and subdomains of a website are pointing correctly to the server as issuing the cert will completely fail if a single domain that is included in the cert fails. To sum this up, do not reinstall your server if LE fails, the server installation is normally not the cause of such an issue (at least when you used either the official autoinstaller or one of the perfect server guides). Instead, follow the Let's encrypt FAQ step by step to find the reason why no LE cert could be issued and don't leave any steps out: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ The FAQ mentions the skip Let's encrypt check option as one of the steps to find out why you don't get a LE cert. And even if you would not have tried that option, you would have seen in the last step 'debug mode', why the LE cert could not be issued as the debug mode shows in that case that the domain was skipped as it could not be reached. From your debug log: Code: 14.07.2021-15:25 - WARNING - Could not verify domain jettburns.com, so excluding it from letsencrypt request. 14.07.2021-15:25 - WARNING - Could not verify domain www.jettburns.com, so excluding it from letsencrypt request.
Thanks for the clarification Till, that makes sense. When you say "access", which ports exactly need to be opened or translated for LE to verify the domain? My firewall already has a NAT policy for just ports 80 and 443, translating my public IP into the server's private IP. I also have the necessary access rules for NTP, DNS, HTTP/S, and SMTP. Is a loopback policy required for any of these ports? I checked your list of ports below and I'm not sure which should be part of the NAT, versus the access rules. FYI when I try to load my site jettburns.com or my server's public IP when my laptop is on the same internal network as the server, I get a "refused to connect" message, which is expected behavior for my firewall because there is no loopback policy setup; should I create one to fix the LE SSL? faqforge. com/linux/which-ports-are-used-on-a-ispconfig-3-server-and-shall-be-open-in-the-firewall/
Yes, that's probably the same issue that causes ISPConfig's check to fail; if ISPConfig can connect (should be only on port 80) to the ip address it gets for the website names that's probably sufficient. (I didn't check the code to see, but it would surprise me if we created a test file in the same acme-challenge path to check, I'd guess it's just a connection test.)
Thanks for the help guys, it was the firewall, and one other issue. Here's how I got it working. I already had a loopback NAT rule setup, but not a corresponding access rule for the loopback. I created one allowing my laptop's "firewalled Subnet" in the "LAN" zone to access the server's public IP address in the "server" zone. After this rule was created, LE was able to verify the domains, but one more problem remained, here's the error I got: Code: Obtaining a new certificate archive directory exists for jettburns.com 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: Found the following matching certs: 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: The following renewal configurations were invalid: 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: /etc/letsencrypt/renewal/jettburns.com.conf 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18.07.2021-01:02 - DEBUG - LE CERT OUTPUT: 18.07.2021-01:02 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.07.2021-01:02 - WARNING - Let's Encrypt SSL Cert for: jettburns.com could not be issued. 18.07.2021-01:02 - WARNING - /bin/certbot certificates --domains jettburns.com --domains www.jettburns.com I looked online, found this Certbot Github issue below suggesting I delete the old files in /renewel, /archive, and /live which I guess were leftover from failled LE verification and were still causing an issue after I fixed the firewall, or these were from when I created a certificate without the LE verification check after disabling the check temporarily. Here's that issue link and the commands I ran: github. com/certbot/certbot/issues/2550 Code: root@srv1:~# ls /etc/letsencrypt/ accounts archive cli.ini csr keys live renewal renewal-hooks root@srv1:~# ls /etc/letsencrypt/renewal/ jettburns.com.conf jettburns.com.conf~backup root@srv1:~# ls /etc/letsencrypt/archive/ jettburns.com root@srv1:~# ls /etc/letsencrypt/live/ jettburns.com README root@srv1:~# ls /etc/letsencrypt/archive/jettburns.com/ cert1.pem chain1.pem fullchain1.pem privkey1.pem root@srv1:~# rm -rf /etc/letsencrypt/archive/jettburns.com/ root@srv1:~# rm -rf /etc/letsencrypt/live/jettburns.com/ root@srv1:~# rm /etc/letsencrypt/renewal/jettburns.com.conf root@srv1:~# rm /etc/letsencrypt/renewal/jettburns.com.conf~backup root@srv1:~# ls /etc/letsencrypt/live/ README root@srv1:~# ls /etc/letsencrypt/archive/ root@srv1:~# ls /etc/letsencrypt/renewal And here's the main debug output of the working LE verification and certificate creation: Code: Obtaining a new certificate 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: Found the following matching certs: 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: Certificate Name: jettburns.com 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: Domains: jettburns.com www.jettburns.com 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: Expiry Date: 2021-10-16 00:19:15+00:00 (VALID: 89 days) 18.07.2021-01:19 - DEBUG - LE CERT OUTPUT: Certificate Path: /etc/letsencrypt/live/jettburns.com/fullchain.pem 18.07.2021-01:19 - DEBUG - Found LE path: /etc/letsencrypt/live/jettburns.com/fullchain.pem 18.07.2021-01:19 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.07.2021-01:19 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/jettburns.com/fullchain.pem exists. 18.07.2021-01:19 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/privkey.pem' '/var/www/clients/client1/web4/ssl/jettburns.com-le.key' - return code: 0 18.07.2021-01:19 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/fullchain.pem' '/var/www/clients/client1/web4/ssl/jettburns.com-le.crt' - return code: 0 18.07.2021-01:19 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/chain.pem' '/var/www/clients/client1/web4/ssl/jettburns.com-le.bundle' - return code: 0 18.07.2021-01:19 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.07.2021-01:19 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.07.2021-01:19 - DEBUG - Enable SSL for: jettburns.com Hope this is helpful to someone one day!
I normally use one command to delete existing LE certs which is in your case should be "rm -rf /etc/letsencrypt/*/jettburns.com*".
