For posterity's sake (and in case somebody uses apache mpm-itk on Debian 7 (wheezy) and has upgraded to ispconfig 3.1): The mpm-itk module forces apache to start as <user>:<group> (i.e. web1:client1) and thus renders it unable to access /usr/local/ispconfig/interface/acme/.well-known/acme-challenge and verify let's encrypt's challenge. Pasting the following in a terminal and reloading apache fixed the issue: Code: cat <<EOF >/etc/apache2/conf.d/acme.conf Alias /well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Order allow,deny Allow from all <IfModule mpm_itk_module> AssignUserId www-data www-data </IfModule> </Directory> EOF