Yes, that makes perfect sense now... obviously because this was a migration of a production site the DNS couldn't be updated until the new ISPConfig installation was configured, otherwise the sites would have vanished from the internet before the server could be migrated! Worth people taking this in to consideration when using the Migration Tool in case they get the same issue.
Thanks - I had this pencilled in to do when things settle down - just have to remember to select the "issue new SSL cert" option
That#s why the Migration Tool tutorial mentions that you should use the same LE client on old and new server and the Migration Tool also shows a warning when LE clients do not match. With matching LE client, the certs get copied over. Without matching LE client, you have to create new ones and this can not work before DNS is switched over, so you always get downtime when you choose to change LE client on server migration.
Thanks - I did assume that the LE clients were the same as I don't recall seeing a warning in the migration tool when I performed the migration and 12 websites worked fine and their SSL certs copied over and just worked... I haven't needed to create new certs for any of the other sites! Either way - many thanks again for your help.
don't know if this can be a related issue: I had a similar problem of not renewal of one certificate. I have login into "ISPC -> related website", and then unmark - save, mark again - save the SSL/LetsEncrypt option. By doing "tail -f /var/log/ispconfig/acme.log " in the process, I have observed how then the certificate was renewed successfully I wonder if there some hole to cover in the ISPC routine for the automatic renewal. My manual operation worked, and then I wonder if maybe something doesn't work properly in the renewal process.
I don't think so. It just means renewal failed at the point of time ISPConfig tried it and conditions changed in a way that it worked at the time you ran it manually. ISPConfig runs the certbot and acme.sh command once every night with renew command-line options. E.g. I run several few ISPConfig systems and never had a single LE renew failure on any of them, some older ones use certbot, and the newer ones use acme.sh. If there would be a bug in the ISPConfig code, my systems must have failed to renew SSL certs as well as I use the normally released version on all of them.
