Hi Guys I am having trouble, again on the 3 month renewal. The client lacks sufficient authorization :: Invalid response from domain.ltd I cannot manually get to the location in a browser. I have turned off re-write http to https I get a 404 error when i try and access the area. I think i may have found the problem. Not only was the server not allowing http, but i think that there is a permission problem cd /usr/local/ispconfig/interface/acme/.well-known ls -lah drwxr-sr-x 2 ispconfig ispconfig 4.0K Jan 22 13:49 acme-challenge vim ispconfig.conf Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Require all granted <IfModule mpm_itk_module> AssignUserId www-data www-data </IfModule> </Directory> Is the AssignUserID incorrect. Should it be ispconfig ispconfig or should /acme be www-data www-data Is there any way to set this up to let me know in advance, so i can fix this in advance? KRs Lee
The permissions of the directory are fine. The token is created by certbot as root user, so it can write to that directory and the user www-data is member of the ispconfig group, so Apache can read the token. The apache config should be fine as well as www-data user can read the token. If it would be a permission problem, then you won't get a 404 error, you would get 403. 404 really means that the token is unreachable (in form of non-existent in this URL). Most likely a rewrite rule or redirect in your website redirects the URL so that it is unreachable.
Would that be in the individual apache conf files? Ill be honest, i am at a loss. Would you be able to point me in the right direction. I tried emailing Florian this morning but nothing back yet. Would you be able to take a look at it? KRs Lee
Most likely it's a redirect that is set in apache/ nginx directives field of the website or an .htaccess file on an apache server or a global redirect. To test this, add a test file in the folder /usr/local/ispconfig/interface/acme/.well-known/acme-challenge, e.g.: touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt and then try to fetch it with a browser: http://yourdomain.tld/.well-known/acme-challenge/test.txt If you get a 404, then take a look into the access.log of the site if you find any additional info on the failed request there. I'm sure Florian will contact you, I'm sure he got a load of work over the weekend that he is working on, on Monday.
Hi Till Could I be having this issue on mine. "Maybe you have a mix of old and new syntax on your server. When the server is an apache version that uses the new syntax, then remove all old syntax. for ispconfig vhosts, you can do that with tools > resyncm for other apache files you might have to do that manually. The reason for this is that you can't mix old and new syntax. E.g. when you deny access globally for /var/www in old syntax, then you can not give access to a subdirectory of /var/www in new syntax. Apache simply ignores the new syntax then. ISPConfig will choose new syntax when the apache version of that server uses new syntax." I upgrade from Debian 7 to Debian 8 about 3-4 monmths ago. I dont believe I have any special features in the apache files, so a resync could fix this issue?
Hi Till I tried this, but it has made things worse. Everything seems to be forcing redirect to ssl. Do you know where i could look to see where this is happening? I cant even bypass the https errors and get You cannot visit www.marsdenduncan.co.uk right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later. L
Seems as if the site currently uses an ssl cert of another site, this happens when the site has no ssl enabled. Is the ssl checkbox and le checkbox of that site enabled at the moment? If not, enable debug mode: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ then enable ssl and le checkboxes, run server.sh, and you will see on the shell in details what's going on. If you need help by remote login, then you should consider contacting Florian here http://www.ispconfig.org/get-support/?type=ispconfig and ask him to take a look at your problem directly.
I have asked Florian to help. This is way out of my league I will email him again. Florian must have already enabled debuging They are full of 06.02.2018-17:58 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.02.2018-17:58 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock I have re-enabled only SSL tick boxes.
This is not the debug output from enabling ssl checkbox. Most likely you did not comment out server.sh in root crontab so the changes had already been processed.
I got this when I did what you said Code: 06.02.2018-18:59 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 's erver_plugins_loaded'. 06.02.2018-18:59 - DEBUG - Found 1 changes, starting update process. 06.02.2018-18:59 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.02.2018-18:59 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update' . 06.02.2018-18:59 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web23/.php-fcgi-starter 06.02.2018-18:59 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/gklkent.com.vhost 06.02.2018-18:59 - DEBUG - Apache status is: running 06.02.2018-18:59 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 06.02.2018-18:59 - DEBUG - Restarting httpd: systemctl restart apache2.service 06.02.2018-18:59 - DEBUG - Apache restart return value is: 0 06.02.2018-18:59 - DEBUG - Apache online status after restart is: running 06.02.2018-18:59 - DEBUG - Processed datalog_id 3311 06.02.2018-18:59 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock I am getting somewhere, when I try and select the LE button under SSL, I now get a vhost.conf.err file. This is still pointing to the outdates le cert files created just over three months ago.
That debug output is better Is your server behind a router? And please check the letsencrypt.log file, it must be there and it should contain the reason why letsencrypt is not able to renew the ssl cert.
Hi Till I dont believe that I am behind a router/firewall, i think i have to pay extra for firewall at OVH. Expand: Iptables -L Chain INPUT (policy DROP) target prot opt source destination fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9980 Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (24 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (6 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:urd PAROLE tcp -- anywhere anywhere tcp dpt:submission PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dptop3s PAROLE tcp -- anywhere anywhere tcp dpt:2812 PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:8040 PAROLE tcp -- anywhere anywhere tcp dpt:8041 PAROLE tcp -- anywhere anywhere tcp dpt:tproxy PAROLE tcp -- anywhere anywhere tcp dpt:8090 PAROLE tcp -- anywhere anywhere tcp dpt:8888 PAROLE tcp -- anywhere anywhere tcp dpt:git PAROLE tcp -- anywhere anywhere tcp dpt:9980 PAROLE tcp -- anywhere anywhere tcp dpt:webmin PAROLE tcp -- anywhere anywhere tcp dpts:40110:40210 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (6 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Code: 2018-02-07 02:01:10,435:DEBUG:certbot.main:Root logging level set at 20 2018-02-07 02:01:10,436:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-02-07 02:01:10,436:DEBUG:certbot.main:certbot version: 0.10.2 2018-02-07 02:01:10,436:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2018-02-07 02:01:10,437:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2018-02-07 02:01:10,438:WARNING:certbot.renewal:renewal config file {} is missing a required file reference 2018-02-07 02:01:10,438:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/binarybrothers.tech.conf is broken. Skipping. 2018-02-07 02:01:10,438:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute renewal_candidate = storage.RenewableCert(full_path, config) File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 373, in __init__ "file reference".format(self.configfile)) CertStorageError: renewal config file {} is missing a required file reference 2018-02-07 02:01:10,439:DEBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 11, in <module> load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew renewal.handle_renewal_request(config) File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request len(renew_failures), len(parse_failures))) Error: 0 renew failure(s), 1 parse failure(s) This is what was in tonights log. After running certbot from the cmd line on one domain, i get Code: Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):27 28 Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for gklkent.com tls-sni-01 challenge for www.gklkent.com /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0035_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0035_csr-certbot.pem archive directory exists for gklkent.com
The first log file looks as if one of the LE config files is corrupted and this causes LE to fail. Regarding the manual renewal attempt, are you able t activate ssl on that domain now?
I can activate SSL yes. but I get a sad face with the following text This site can’t provide a secure connection www.gklkent.com sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR I still get the same error from LE. I cannot access acme-challenge Can I change anything in apache to force it, albiet with a security risk for testing? FailedChallenges: Failed authorization procedure. gklkent.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gklkent.com/.well-known/acme-challenge/WOKM76Ri9zxKPo2eo-ic8LieIwP5xwqMhQb8mkB8nVQ: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:", www.gklkent.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.gklkent.com/.well-known/acme-challenge/QFvH15U1egxw7ghj8i98a7cjW1onDJ1c9uCWrNfg_MQ: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
SSL with LE will not work until you fixed the problem that LE can't access its auth token from outside. 1) Is the domain reachable from the internet? If not, ensure that LE is able to reach it. 2) Do you use any redirect or rewrite rules, e.g. in a .htaccess file, that redirect requests to that domain to another directory? If yes, you'll have to ensure that requests to the .well-known directory are not redirected.
OK, temporarily I have made the following change to vim /etc/apache2/sites-available/ispconfig.conf I commented out the AssignUserID module. Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Require all granted # <IfModule mpm_itk_module> # AssignUserId www-data www-data #</IfModule> </Directory> Running Certbot again, how allowed me to generate and use the new cert. After it worked on that one, i re did certbot on all sites which caused problems. All the apache files look on https://pastebin.com/h41kLDuS It looks like the cert has been issued to 23ir.co.uk but all ssl sites points to marsdenduncan.co.uk This isi the apache folder. Expand: Sites Available root@isc:~/Certbot# ls -lah /etc/apache2/sites-available/ total 312K drwxr-xr-x 2 root root 4.0K Feb 8 11:35 . drwxr-xr-x 9 root root 4.0K Feb 8 11:31 .. -rw-r--r-- 1 root root 1.4K Jul 16 2017 000-default.conf -rw-r--r-- 1 root root 3.5K Feb 8 11:07 23ir.co.uk.vhost -rw-r--r-- 1 root root 7.0K Feb 8 11:30 23ir.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 4.0K Feb 8 11:07 3buddhas.co.uk.vhost -rw-r--r-- 1 root root 8.0K Feb 8 11:30 3buddhas.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 2.3K Feb 8 11:07 7pg.co.uk.vhost -rw-r--r-- 1 root root 4.7K Feb 8 11:30 7pg.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 1.2K Feb 5 11:55 apps.vhost -rw-r--r-- 1 root root 3.4K Feb 7 19:42 binarybrothers.tech.vhost -rw-r--r-- 1 root root 3.7K Feb 8 11:07 computing.inspiredsolutionsuk.com.vhost -rw-r--r-- 1 root root 7.5K Feb 8 11:30 computing.inspiredsolutionsuk.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.6K Feb 8 11:07 countyelectrics.com.vhost -rw-r--r-- 1 root root 7.2K Feb 8 11:30 countyelectrics.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 8.1K Feb 6 16:19 dav.inspiredsolutionsuk.com.vhost -rw-r--r-- 1 root root 7.1K Mar 2 2015 default-ssl.conf -rw-r--r-- 1 root root 3.8K Feb 8 11:35 gklkent.com.vhost -rw-r--r-- 1 root root 12K Feb 8 11:30 gklkent.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 2.3K Feb 8 11:07 gkltenants.com.vhost -rw-r--r-- 1 root root 4.8K Feb 8 11:30 gkltenants.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.6K Feb 6 16:19 greenknightlettings.com.vhost -rw-r--r-- 1 root root 3.6K Feb 6 16:19 greenknightlettings.co.uk.vhost -rw-r--r-- 1 root root 2.4K Feb 8 11:07 huttonsdomain.com.vhost -rw-r--r-- 1 root root 4.8K Feb 8 11:30 huttonsdomain.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.6K Feb 8 11:07 inspiredsolutionsuk.com.vhost -rw-r--r-- 1 root root 7.3K Feb 8 11:30 inspiredsolutionsuk.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.5K Feb 8 11:07 isc.inspiredsolutionsuk.com.vhost -rw-r--r-- 1 root root 11K Feb 8 11:30 isc.inspiredsolutionsuk.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 2.0K Feb 8 11:27 ispconfig.conf -rw-r--r-- 1 root root 3.2K Feb 5 11:56 ispconfig.vhost -rw-r--r-- 1 root root 3.3K Feb 6 16:19 kfssltd.co.uk.vhost -rw-r--r-- 1 root root 3.3K Feb 6 16:15 krsltd.co.uk.vhost -rw-r--r-- 1 root root 8.5K Feb 6 16:15 lahtechnologies.com.vhost -rw-r--r-- 1 root root 7.9K Feb 8 11:30 marsdenduncan.co.uk.vhost -rw-r--r-- 1 root root 3.6K Feb 8 11:16 marsdenduncan.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 2.9K Feb 8 11:07 marsdenduncansolicitors.co.uk.vhost -rw-r--r-- 1 root root 5.9K Feb 8 11:30 marsdenduncansolicitors.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 4.1K Feb 8 11:07 myreclaimedgardens.co.uk.vhost -rw-r--r-- 1 root root 8.2K Feb 8 11:30 myreclaimedgardens.co.uk.vhost-le-ssl.conf -rw-r--r-- 1 root root 379 Feb 6 14:26 nextcloud.conf -rw-r--r-- 1 root root 10K Feb 6 16:16 office.gklkent.com.vhost -rw-r--r-- 1 root root 11K Aug 21 13:12 office.gklkent.com.vhost.err -rw-r--r-- 1 root root 3.4K Feb 8 11:07 pgl-uk.org.vhost -rw-r--r-- 1 root root 6.8K Feb 8 11:30 pgl-uk.org.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.5K Feb 8 11:07 preceptcs.com.vhost -rw-r--r-- 1 root root 7.1K Feb 8 11:30 preceptcs.com.vhost-le-ssl.conf -rw-r--r-- 1 root root 3.3K Feb 6 16:18 rfskent.co.uk.vhost -rw-r--r-- 1 root root 3.0K Sep 17 19:40 roundcube.conf -rw-r--r-- 1 root root 3.3K Feb 6 16:18 whitecaps.co.uk.vhost I cannot tick the ssl box in the ISP control panel on any site. and all https redirects to marsdenduncan.co.uk What have i done!!
Using certbot on the shell for websites will cause the whole Apache setup to fail as certbot is not able to create correct apache config files, it simply tries to create copies with -le to filename attached and ispconfig will be unable to do any changes after that. Basically, you will have to remove all these apache config files with -le in the filename from apache sites-enabled folder to get the system back operating. Then login to ispconfig and enable the ssl and le checkbox of the website where you want to turn on LE.
Hi Till I got eveything back to working as it was yesterday I still cannot authorize well known. Should i just create a well known folder in every website under its user and take out the alias in ispconfig.conf Also, I actually have a new certificate i think Saving debug log to /var/log/letsencrypt/letsencrypt.log Renewal configuration file /etc/letsencrypt/renewal/gklkent.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping. Renewal configuration file /etc/letsencrypt/renewal/binarybrothers.tech.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping. Renewal configuration file /etc/letsencrypt/renewal/gklkent.com-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping. Attempting to parse the version 0.21.1 renewal configuration file found at /etc/letsencrypt/renewal/gklkent.com-0002.conf with version 0.10.2 of Certbot. This might not work. ------------------------------------------------------------------------------- Found the following certs: Certificate Name: www.marsdenduncan.co.uk Domains: www.marsdenduncan.co.uk marsdenduncan.co.uk Expiry Date: 2018-05-09 10:16:02+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.marsdenduncan.co.uk/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.marsdenduncan.co.uk/privkey.pem Certificate Name: gklkent.com-0002 Domains: 23ir.co.uk 3buddhas.co.uk 7pg.co.uk computing.inspiredsolutionsuk.com countyelectrics.com gklkent.com gkltenants.com huttonsdomain.com inspiredsolutionsuk.com isc.inspiredsolutionsuk.com marsdenduncan.co.uk marsdenduncansolicitors.co.uk myreclaimedgardens.co.uk pgl-uk.org preceptcs.com www.23ir.co.uk www.3buddhas.co.uk www.7pg.co.uk www.countyelectrics.com www.gklkent.com www.gkltenants.com www.huttonsdomain.com www.inspiredsolutionsuk.com www.marsdenduncan.co.uk www.marsdenduncansolicitors.co.uk www.myreclaimedgardens.co.uk www.pgl-uk.org www.preceptcs.com Expiry Date: 2018-05-09 10:06:26+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/gklkent.com-0002/fullchain.pem Private Key Path: /etc/letsencrypt/live/gklkent.com-0002/privkey.pem The following renewal configuration files were invalid: /etc/letsencrypt/renewal/gklkent.com.conf /etc/letsencrypt/renewal/binarybrothers.tech.conf /etc/letsencrypt/renewal/gklkent.com-0001.conf Those renewal files are blank and emtpy.
No, this won't help as certbot won't find it's token then as the token get's created in the folder /usr/local/ispconfig/interface/acme/.well-known/acme-challenge you can try this, run: touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt you must then be able to reach the test.txt file in a browser by using your domain name: http://yourdomain.tld/.well-known/acme-challenge/test.txt unless this is working agan, LE will fail. Try to move the broken reneal certs to a different flder, maybe certbot will recreate them then.