Hi All, Sorry for long post (I'm including logs). I installed/setup my server via Perfect Server Automated ISPConfig 3 on 11/17/2022. 60 days later, around 1/17/2023, apache2 would not start because of [ssl:emerg]. I think SSL from LE for ISPConfig could not be auto-renewed. Apache2 Log (/var/log/apache2/error.log) Code: [Thu Jan 19 00:18:31.418531 2023] [ssl:emerg] [pid 1255:tid 139802133617984] AH02565: Certificate and private key server.mydomain.com:8080:0 from /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key do not match [Thu Jan 19 00:18:31.418579 2023] [:emerg] [pid 1255:tid 139802133617984] AH00020: Configuration Failed, exiting [Thu Jan 19 00:18:31.557413 2023] [ssl:emerg] [pid 220245:tid 140065435520320] AH02565: Certificate and private key server.mydomain.com:8080:0 from /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key do not match AH00016: Configuration Failed [Thu Jan 19 00:18:31.990204 2023] [ssl:emerg] [pid 220479:tid 140609488629056] AH02565: Certificate and private key server.mydomain.com:8080:0 from /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key do not match AH00016: Configuration Failed To fix and to be able to start Apache I had to run ISPConfig update (ispconfig_update.sh --force) where updater generated self-signed new private key. Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for server.mydomain.com Using certificate path /root/.acme.sh/server.mydomain.com Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/server.mydomain.com [Thu Jan 19 07:39:28 CST 2023] Domain key exists, do you want to overwrite the key? [Thu Jan 19 07:39:28 CST 2023] Add '--force', and try again. [Thu Jan 19 07:39:28 CST 2023] Create domain key error. [Thu Jan 19 07:39:28 CST 2023] Please check log file for more details: /var/log/ispconfig/acme.log Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key ............................................................................................++++ .....++++ writing new private key to '/usr/local/ispconfig/interface/ssl/ispserver.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]: IL Locality Name (eg, city) []: Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]: HOSTING Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:server.mydomain.com Email Address []:[email protected] Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: ACME Log (/var/log/ispconfig/acme.log) Code: ACME Log (/var/log/ispconfig/acme.log) [Thu Jan 19 00:20:43 CST 2023] ===End cron=== [Thu Jan 19 07:39:27 CST 2023] Running cmd: setdefaultca [Thu Jan 19 07:39:27 CST 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory [Thu Jan 19 07:39:27 CST 2023] Lets find script dir. [Thu Jan 19 07:39:27 CST 2023] _SCRIPT_='/root/.acme.sh/acme.sh' [Thu Jan 19 07:39:27 CST 2023] _script='/root/.acme.sh/acme.sh' [Thu Jan 19 07:39:27 CST 2023] _script_home='/root/.acme.sh' [Thu Jan 19 07:39:27 CST 2023] Using config home:/root/.acme.sh [Thu Jan 19 07:39:27 CST 2023] Running cmd: issue [Thu Jan 19 07:39:27 CST 2023] _main_domain='server.mydomain.com' [Thu Jan 19 07:39:27 CST 2023] _alt_domains='no' [Thu Jan 19 07:39:27 CST 2023] Using config home:/root/.acme.sh [Thu Jan 19 07:39:27 CST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:39:27 CST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:39:27 CST 2023] DOMAIN_PATH='/root/.acme.sh/server.mydomain.com' [Thu Jan 19 07:39:27 CST 2023] Le_NextRenewTime='1673902028' [Thu Jan 19 07:39:27 CST 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Thu Jan 19 07:39:27 CST 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Thu Jan 19 07:39:27 CST 2023] GET [Thu Jan 19 07:39:27 CST 2023] url='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:39:27 CST 2023] timeout= [Thu Jan 19 07:39:27 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L ' [Thu Jan 19 07:39:27 CST 2023] ret='0' [Thu Jan 19 07:39:27 CST 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Thu Jan 19 07:39:27 CST 2023] ACME_NEW_AUTHZ [Thu Jan 19 07:39:27 CST 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Thu Jan 19 07:39:27 CST 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Thu Jan 19 07:39:27 CST 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Thu Jan 19 07:39:27 CST 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf' [Thu Jan 19 07:39:27 CST 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Thu Jan 19 07:39:28 CST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu Jan 19 07:39:28 CST 2023] _on_before_issue [Thu Jan 19 07:39:28 CST 2023] _chk_main_domain='server.mydomain.com' [Thu Jan 19 07:39:28 CST 2023] _chk_alt_domains [Thu Jan 19 07:39:28 CST 2023] Le_LocalAddress [Thu Jan 19 07:39:28 CST 2023] d='server.mydomain.com' [Thu Jan 19 07:39:28 CST 2023] Check for domain='server.mydomain.com' [Thu Jan 19 07:39:28 CST 2023] _currentRoot='/usr/local/ispconfig/interface/acme' [Thu Jan 19 07:39:28 CST 2023] d [Thu Jan 19 07:39:28 CST 2023] _saved_account_key_hash is not changed, skip register account. [Thu Jan 19 07:39:28 CST 2023] Read key length:4096 [Thu Jan 19 07:39:28 CST 2023] Creating domain key [Thu Jan 19 07:39:28 CST 2023] Using config home:/root/.acme.sh [Thu Jan 19 07:39:28 CST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:39:28 CST 2023] Domain key exists, do you want to overwrite the key? [Thu Jan 19 07:39:28 CST 2023] Add '--force', and try again. [Thu Jan 19 07:39:28 CST 2023] Create domain key error. [Thu Jan 19 07:39:28 CST 2023] pid [Thu Jan 19 07:39:28 CST 2023] No need to restore nginx, skip. [Thu Jan 19 07:39:28 CST 2023] _clearupdns [Thu Jan 19 07:39:28 CST 2023] dns_entries [Thu Jan 19 07:39:28 CST 2023] skip dns. [Thu Jan 19 07:39:28 CST 2023] _on_issue_err [Thu Jan 19 07:39:28 CST 2023] Please check log file for more details: /var/log/ispconfig/acme.log [Thu Jan 19 07:40:34 CST 2023] Running cmd: upgrade [Thu Jan 19 07:40:34 CST 2023] Using config home:/root/.acme.sh [Thu Jan 19 07:40:34 CST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:40:34 CST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Thu Jan 19 07:40:34 CST 2023] GET [Thu Jan 19 07:40:34 CST 2023] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master' [Thu Jan 19 07:40:34 CST 2023] timeout= [Thu Jan 19 07:40:34 CST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L ' [Thu Jan 19 07:40:34 CST 2023] ret='0' [Thu Jan 19 07:40:34 CST 2023] Already uptodate! [Thu Jan 19 07:40:34 CST 2023] Upgrade success! [Thu Jan 19 07:40:34 CST 2023] Running cmd: setdefaultca [Thu Jan 19 07:40:34 CST 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory My question is how to fix the auto-renewal of SSL from LE, also how can I go from self-signed to LE SSL at this time? Thanks in advance.
Have you created a website for the server hostname server.mydomain.com in ISPConfig? As this will make SSL cert renewal to fail. In your case, it also seems that cert files might be corrupted. Try to delete the SSL cert for server.mydomain.com using acme.sh command (plus maybe removing remnant files and directories in the root/.acme.sh/ directory for this one SSL cert and then run an ispconfig update again to create a new cert.
Thank You @till No, I have not. Do I have to create website "server.mydomain.com" before I delete, clean SSL cert and run ispconfig update again?
Ok Thank You! I have A record in my DNS with name "server" pointed to IP. Do I need A record or CNAME for hostname (in this case "server")?
I removed SSL cert using acme.sh --remove -d server.mydomain.com Deleted folder rm -rf /root/.acme.sh/server.mydomain.com Re-run ISPConfig updater still falling back to self-signed, this time i get verify error / connection refused Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for server.mydomain.com Using certificate path /etc/letsencrypt/live/server.mydomain.com Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/server.mydomain.com [Thu Jan 19 12:35:47 CST 2023] server.mydomain.com:Verify error:111.222.333.444 Fetching http://server.mydomain.com/.well-known/acme-challenge/M6cKWhScDO6Y7ebws_WJovHyuRaAqDzD0eRpv9EWoO0: Connection refused [Thu Jan 19 12:35:47 CST 2023] Please check log file for more details: /var/log/ispconfig/acme.log Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed.
So let's encrypt was not able to reach your system. Take care that you do not block access on port 80 from the internet. The let#s encrypt verification servers must be able to reach your server, if this doe snot work, you will not get an SSL cert.
Thank You so much again! Hmmmm, that makes sense. I'm wondering if my provider is blocking port 80 or is it Firewall UFW? How to ensure port 80 isn't blocked? When I go here and check port 80 it is open for both mydomain.com & server.mydomain.com. Also in ISPConfig under System > Firewall > Open TCP ports; port 80 is listed there (20,21,22,25,80,443,40110:40210,110,143,465,587,993,995,53,8080,8081)
ISPConfig does not block port 80 and the port list shows it is open. The first step is that you try to access the server hostname on port 80 in a browser, does that work? You might also want to run the test script from the read before posting thread and post the result.
I get default Debian Apache page when I browse to http://server.mydomain.com TEST SCRIPT BELOW Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 13:19:43 up 18:33, 1 user, load average: 0.25, 0.28, 0.45 [INFO] memory: total used free shared buff/cache available Mem: 7.7Gi 3.1Gi 719Mi 356Mi 4.0Gi 4.0Gi Swap: 0B 0B 0B [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION * le_ispc_pem.path loaded failed failed "Monitor the panel certificate files to trigger a recreation of the .pem file after renewal" * le_ispc_pem.service loaded failed failed "Create new .pem file on certificate renewal" LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 2 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.9 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.33 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.33 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 362949) [INFO] I found the following mail server(s): Postfix (PID 362818) [INFO] I found the following pop3 server(s): Dovecot (PID 362905) [INFO] I found the following imap server(s): Dovecot (PID 362905) [INFO] I found the following ftp server(s): PureFTP (PID 363001) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:4190 (362905/dovecot) [anywhere]:993 (362905/dovecot) [anywhere]:995 (362905/dovecot) ...skipping 1 line [localhost]:11333 (362860/rspamd:) [localhost]:11334 (362860/rspamd:) [localhost]:10023 (579/postgrey) [anywhere]:587 (362818/master) [localhost]:6379 (983/redis-server) [localhost]:11211 (945/memcached) [anywhere]:110 (362905/dovecot) [anywhere]:143 (362905/dovecot) [anywhere]:465 (362818/master) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) ***.***.***.***:53 (363123/named) [localhost]:53 (363123/named) [localhost]:53 (363123/named) [localhost]:53 (363123/named) [localhost]:53 (363123/named) [anywhere]:21 (363001/pure-ftpd) [anywhere]:22 (1030/sshd:) [localhost]:953 (363123/named) [anywhere]:25 (362818/master) *:*:*:*::*:443 (362949/apache2) *:*:*:*::*:4190 (362905/dovecot) *:*:*:*::*:993 (362905/dovecot) *:*:*:*::*:995 (362905/dovecot) *:*:*:*::*:11332 (362860/rspamd:) *:*:*:*::*:11333 (362860/rspamd:) *:*:*:*::*:11334 (362860/rspamd:) *:*:*:*::*:10023 (579/postgrey) *:*:*:*::*:3306 (361968/mariadbd) *:*:*:*::*:587 (362818/master) *:*:*:*::*:6379 (983/redis-server) [localhost]10 (362905/dovecot) [localhost]43 (362905/dovecot) *:*:*:*::*:8080 (362949/apache2) *:*:*:*::*:80 (362949/apache2) *:*:*:*::*:8081 (362949/apache2) *:*:*:*::*:465 (362818/master) *:*:*:*::*:21 (363001/pure-ftpd) *:*:*:*::*:53 (363123/named) *:*:*:*::*:53 (363123/named) *:*:*:*::*:53 (363123/named) *:*:*:*::*:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*53 (363123/named) *:*:*:*::*53 (363123/named) *:*:*:*::*53 (363123/named) *:*:*:*::*53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*7c06:b5ff:fe45:53 (363123/named) *:*:*:*::*:22 (1030/sshd:) *:*:*:*::*:25 (362818/master) *:*:*:*::*:953 (363123/named) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
After I turned off Firewall at my provider level let's encrypt was able to verify/connect & issue SSL cert.
