There are many threads that deal with problems to generate SSL certificates with Let’s Encrypt so I start a FAQ here. Please read the whole post when you are having trouble. Why does Letsencrypt does not create an SSL cert? Let’s Encrypt verifies your server by downloading an individual token from each domain of the website, including auto-subdomains, subdomains, and aliasdomains. If one of these domains and subdomains is unreachable (no DNS, wrong DNS, closed firewall, etc) then Let's Encrypt will refuse to create the SSL cert. Why does the Let’s Encrypt in ISPConfig get disabled automatically? When the creation of the SSL certificate through Let’s Encrypt fails, the Let’s Encrypt and SSL checkbox get disabled in the settings of your website. What can I do if SSL certificate creation with Let’s Encrypt fails? Check that you have a Let’s Encrypt client installed. On servers installed before the release of ISPConfig 3.2, this is most likely certbot. On servers installed after the release, it's most likely acme.sh. Check that the Let's encrypt client 'certbot' is updated (when using certbot). If your system is using acme.sh, then ISPConfig takes care of the acme.sh update automatically. Check that you run the latest ISPConfig version. When your server is behind a NAT router or a firewall so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System -> Server config -> server1.example.com -> Web. If you are using a Cloudflare proxy, you can not get a Let's Encrypt SSL cert. Using Cloudflare DNS (without proxy function enabled) is fine, though. Check that all domain names (incl. auto subdomain www etc.), subdomains, and alias domains really point to the right website in DNS and are working. Open one after another in your browser and test that. You might also want to check DNS records and servers of that domain using a DNS test tool like intodns.com for inconsistencies. If the domain also has IPv6 (AAAA) records, then your system must be reachable by IPv6 as well and not just IPv4. If you still use Apache 2.2, then update your ispconfig to the latest version with the ispconfig_update.sh script to get an updated vhost template. After you do that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems. Newer apache 2.4 or nginx systems are not affected. If you updated from ISPConfig < 3.1 to ISPConfig > 3.1 and deselected the "Reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update with the command "ispconfig_update.sh --force" and choose to reconfigure services in that case. Check that 'Server Migration Mode' option under System > Server Config is not enabled, as migration mode disables the creation of new Let's encrypt certificates. Where do I find detailed error messages? You can find the log files here when using certbot: /var/log/letsencrypt When using acme.sh, it can be in /var/log/ispconfig/acme.log or /root/.acme.sh/acme.sh.log If you need further help, post the relevant log excerpt for the certificate that can't get issued in the forum. What if the above steps don't help? Enable the ISPConfig debug mode by following the steps from this guide: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ After doing so, enable Let's Encrypt for the web and run the server.sh script manually. Post the debug output in the forum if you cannot identify the issue yourself. Don't forget to re-enable the server.sh cronjob when your problem is resolved.
