SSL / Let's Encrypt issues with subdomains

Discussion in 'General' started by Shinichi, Jul 10, 2019.

  1. Shinichi

    Shinichi New Member

    Currently I started with the migration of websites from my old to my new web cluster. I combined some How-to-Guides (mainly this) from this website, changed / improved some details (I will share when I done with the migration) and (almost) everything is working fine so far. Big thanks to the community for all your great work.

    This is a very long post due to the fact, that there is any error message at all that I could post, there will only be this description and my analysis, so thank you for reading.

    But prior to the error description here is my configuration:
    • Debian 9 (Stretch)
    • ISPConfig 3.1.13p1
    • nginx/1.10.3;
      built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0k 28 May 2019);
      TLS SNI support enabled
    Well, the one thing which isn't working is about using SSL / Let's Encrypt. The behavior:

    Setting up a website with SSL / Let's Encrypt is working fine as long as you don't include a subdomain different from "Auto-Subdomain" "www". This will cause ISPConfig to remove the checkmarks from "SSL" and "Let's Encrypt SSL" and ISPConfig will not include the https section into nginx vhost configuration at all. An alias domain is no problem.

    I've searched the web about issues using ISPConfig with subdomains and found some solutions pointing to missing DNS records for these subdomains. So I rechecked my DNS configuration and it was fine (each domain / subdomain / alias domain has its own A-Record and a CNAME for www).

    So I did some research to analyze the issue and here are the results:

    I started with clean Website for
    • Turned off any SSL options
    • Deleted every entry for from /etc/letsencrypt/ and its subdirectories
    • Deleted every entry in <vhost>/ssl/
    So I started like I never used SSL for This I did twice: First for * as Auto-Subdomain directly in the Web Domain configuration and second with the subdomains test and www.test ( and, both with an additional alias domain ( Any (SEO) redirects were configured to avoid any inaccessibility issues at all.

    I checked the vhost configuration and all domains were included correctly in the "server_name" statement. So everything worked fine so far.

    Then I turned on "SSL" and "Let's Encrypt SSL" options and as expected the result was as I mentioned before: ISPConfig removed both options and the https section was not included in the vhost configuration.

    So I checked the Let's-Encrypt-Log and the /etc/letsencrypt/ directory and was surprised that in both cases a certificate was issued. Within the /etc/letsencrypt/ directory everything was linked correctly. Only the symlinks in the <vhost>/ssl/ directory and the https section in vhost configuration file were missing.

    So next I decided to check if the certificates were issued correctly. I manually linked the certificates to the <vhost>/ssl/ directory and added the https section to the vhost configuration file. After that I could request at least some domains / subdomains / alias domains for the first case and all of them for the second case. Her are the results in details:


    test / www.test:
    So now it was clear, that at least for the second case (where I included the subdomain(s) specifically) the certificate was issued correctly.

    So I decided to trick ISPConfig a bit and updated the database record for this domain manually, setting both columns (ssl and ssl_letsencrypt) to 'y'. After that both options were displayed as checked in the Web Domain configuration as expected.

    Now I turned on the "Enable SPDY/HTTP2" option to see what happens and against my expectations ISPConfig did not remove the https section entirely and instead added „http2" correctly.

    Why is ISPConfig not adding the https section to the vhost configuration when enabling SSL and why it is fine with adding / reconfigurung the https section with http2 afterwards? There is simply no reason for this behavior, at least none I can figure out.

    Or am I doing something wrong? It would be great if someone could explain this and / or have a solution to it.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It has been explained in quite a few threads that there is a bug in certbot and that latest ispconfig has a workaround for it. Update ISPConfig to the current version and then test again.
  3. Shinichi

    Shinichi New Member

    An update to 3.1.14p1 fixed the problem. Didn't found anything about a cerbot bug, only the issues with wrong DNS configuration I mentioned before. Maybe you should include this in your Let's Encrypt Error FAQ.

    Thanks a lot till.
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Shinichi

    Shinichi New Member

    Yeah, but a this time I did not know that this behavior is the result of a certbot bug. As I described, the certificate was issued correctly and that was rather pointing to a ISPConfig problem. And at this point nobody will search for a cerbot bug....

    Anyways, the problem is solved and it was just a suggestion to add this into the FAQ.

Share This Page