Let's Encrypt SSL Not Working (No errors)

It is a standalone server from server4you.de. No virtualization. Fresh install of Debian testing and of ISPConfig. Nothing else running on this server.
Yes, I think that's the problem.
Strange that when I'm doing a telnet it works kind of:
sun:~# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Seems to work:
sun:~# nc -zv 127.0.0.1 80
localhost [127.0.0.1] 80 (http) open

And also here:
sun:~# nmap -sS 127.0.0.1 -p 80
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-13 15:24 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).

PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

sun:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 85.25.213.11 netmask 255.255.255.192 broadcast 85.25.213.63
inet6 fe80::fab1:56ff:feb7:15c4 prefixlen 64 scopeid 0x20<link>
ether f8:b1:56:b7:15:c4 txqueuelen 1000 (Ethernet)
RX packets 3122963 bytes 398947039 (380.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1490435 bytes 219847528 (209.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7c00000-f7c20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 198267 bytes 143324112 (136.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 198267 bytes 143324112 (136.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Is it an iptables issue?
sun:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

sun:~# ufw status verbose
Status: inactive

sun:~# netstat -tanlp | grep LISTEN
tcp 0 0 85.25.213.11:53 0.0.0.0:* LISTEN 442584/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 442584/named
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 442578/pure-ftpd (S
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 733/sshd: /usr/sbin
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 442584/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 442376/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 442528/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 442528/dovecot
tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 1332/postgrey --pid
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 442435/amavisd-new
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 442376/master
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 442435/amavisd-new
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 441286/mariadbd
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 442376/master
tcp 11 0 0.0.0.0:587 0.0.0.0:* LISTEN 442376/master
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 626/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 442528/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 442528/dovecot
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 442376/master
tcp6 0 0 fe80::fab1:56ff:feb7:53 :::* LISTEN 442584/named
tcp6 0 0 ::1:53 :::* LISTEN 442584/named
tcp6 0 0 :::21 :::* LISTEN 442578/pure-ftpd (S
tcp6 0 0 :::22 :::* LISTEN 733/sshd: /usr/sbin
tcp6 0 0 :::25 :::* LISTEN 442376/master
tcp6 0 0 ::1:953 :::* LISTEN 442584/named
tcp6 0 0 :::443 :::* LISTEN 443655/apache2
tcp6 0 0 :::993 :::* LISTEN 442528/dovecot
tcp6 0 0 :::995 :::* LISTEN 442528/dovecot
tcp6 0 0 ::1:10024 :::* LISTEN 442435/amavisd-new
tcp6 0 0 ::1:10026 :::* LISTEN 442435/amavisd-new
tcp6 0 0 :::587 :::* LISTEN 442376/master
tcp6 0 0 :::110 :::* LISTEN 442528/dovecot
tcp6 0 0 :::143 :::* LISTEN 442528/dovecot
tcp6 0 0 :::80 :::* LISTEN 443655/apache2
tcp6 0 0 :::8081 :::* LISTEN 443655/apache2
tcp6 0 0 :::465 :::* LISTEN 442376/master

 

Now I can't access ISPConfig via rothmedia.net:8080 any more. Also because of the https issue.
I can reach other websites via http.

When I run
sun:~# acme.sh --issue -d rothmedia.net -w /var/www/ispconfig/
[Mon 14 Dec 2020 02:12:10 PM CET] Domains not changed.
[Mon 14 Dec 2020 02:12:10 PM CET] Skip, Next renewal time is: Tue 09 Feb 2021 02:23:52 PM UTC
[Mon 14 Dec 2020 02:12:10 PM CET] Add '--force' to force to renew.

it looks like it works.
My question then is the following: What problem has ISPConfig with it?

Kind regards
Christian

 

You're right. Actually I changed the ispserver name to sun. Which means, it should be accessible via sun.rothmedia.net:8080.
Under /usr/local/ispconfig/interface/ssl/ there are the certificates:
sun:/usr/local/ispconfig/interface/ssl# ls -l
total 32
-rwxr-x--- 1 ispconfig ispconfig 45 Dec 13 19:49 empty.dir
-rwxr-x--- 1 ispconfig ispconfig 1842 Dec 13 19:49 ispserver.crt
-rwxr-x--- 1 ispconfig ispconfig 972 Dec 13 19:49 ispserver.csr
-rwxr-x--- 1 ispconfig ispconfig 3311 Dec 13 21:47 ispserver.key
-rwxr-x--- 1 ispconfig ispconfig 3311 Dec 13 19:49 ispserver.key.secure
-rwxr-x--- 1 ispconfig ispconfig 3429 Dec 13 19:49 ispserver.pem
-rwxr-x--- 1 ispconfig ispconfig 619 Dec 13 19:49 rothmedia.net.conf
-rwxr-x--- 1 ispconfig ispconfig 208 Dec 13 19:49 rothmedia.net.csr.conf

The ispconfig.crt is a letsencrypt one I could/would use if it would work.
In the /etc/apache2/sites-available/ I have a rothmedia.net.vhost but not a sun.rothmedia.net.vhost, which I deleted before running ispconfig_update.sh --force. But it is not created new.
I'm a bit confused now.
I'm generating the letsencrypt certificate for rothmedia.net and not for the subdomain, correct?\
But for apache I need a sun.rothmedia.net.vhost.

 

I did it. I also commented out the NameVirtualHost, because apache was complaining about it.
I restarted the service apache2 and tested the site. No success. I get the problem loading page error.
with http://sun.rothmedia.net I get the default 'Welcome to your webpage' page.
https://sun.rothmedia.net not working either.

 

I did an ispconfig_update.sh --force and becauase of the letsencrypt error, I run into the self signed certificate creation:
Checking / creating certificate for sun.rothmedia.net
Using certificate path /root/.acme.sh/sun.rothmedia.net
sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
Using apache for certificate validation
[Mon 14 Dec 2020 08:14:46 PM CET] sun.rothmedia.net:Verify error:Fetching http://sun.rothmedia.net/.well-known/acme-challenge/GgXs4DctL5FLSLR3z2zsztJV-7Or78V56ADoCrMHvYg: Connection refused
[Mon 14 Dec 2020 08:14:46 PM CET] Please add '--debug' or '--log' to check more details.
[Mon 14 Dec 2020 08:14:46 PM CET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................++++
.++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]E

After Update finished
now I can access the ISPConfig Web Inteface again.
Under https://rothmedia.net:8080 as well as https://sun.rothmedia.net:8080

I have no clue how to fix the
sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
error. But I'm happy that I have it running with the self signed certificate at least.
Thanks for all your help so far!

 

Yes. There are quite a few tutorials around. I found one which explains the hostname stuff, which I changed.
I found another difference in the /etc/postfix/main.cf file:
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
was missing. This line is missing at all. I added it.
I also commented the following line
#bind-address = 127.0.0.1
although my SQL Server was running as expected.
But anyways, my postfix, and all other services are working as expected.
What I am missing ist mailman, because there is no install candidate for Debian testing.
There is a mailman3-web package. But this wants to install a whole bunch of stuff, I don't think I need.

 

YES! That was the point with the error. Many thanks! I don't know how I could miss this. Ashes onto my head!
Now the ispconfig_update.sh nags that letsencrypt could not issue a certificate for sun.rothmedia.net.
Do I have to issue a certificate for every subdomain, or can I issue a certificate for the domain rothmedia.net and all the subdomains using this one, or do clients not trust the subdomains in this case?

 

Many thanks for your quick reply. No, I don't need mailman.
In the issuing certificate I proceeded one step. I missed to change the bash. See my post above.

 

Now I have another problem with not being able starting apache2. It asks for the certificates passphrase. When I provide it, it comes up with this in the apache/error.log:
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
Quite a stony path to ISPConfig success.

 

I just did it again. i can't reinstall because I have already clients using it with mail addresses...
Do I have to create a subcomain for the ispconfig server name i.e. 'sun' in my case? sun.rothmedia.net. Thus letsencrypt can issue the certificate and not getting into the following error?
sun.rothmedia.net:Verify error:Invalid response from http://sun.rothmedia.net/.well-known/acme-challenge/DYt7iA6-JcEyHR2syreIfN5rB5ZI4lpCPef

 

Another success. Let's Encrypt certificates are now created direct through ISPConfig by pressing Let's Encrypt SSL.
I created with acme.sh manually a certificate for rothmedia.net and placed it into /usr/local/ispconfig/interface/ssl/
And no I can access ISPConfig via https//rothmedia.net:8080. Only when I want to access ISPConfig via sun.rothmedia.net:8080 I have to accept the certificate from rothmedia.net.