SSL working for one website, but not the others...

Discussion in 'Installation/Configuration' started by Fazzax, Nov 13, 2018.

  1. Fazzax

    Fazzax New Member

    Hi everyone,

    I just added 3 websites on ispconfig 3.1 dev (, and As I need to separate each of them, they're created as websites, with one ssh jailed user each.

    I issued the certifications through let's encrypt for the domain through:

    letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    service apache2 restart
    and have no problem for, (subdomain) and (server).
    Regarding the new ones, it's working perfectly fine for, but the certificates for and are shown as not valid :
    13.11.2018-22:17 - WARNING - Let's Encrypt SSL Cert for: could not be issued)

    I created the 3 websites with exactly the same configuration...

    Any ideas of how to fix it?
    Thanks a lot,
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is in DNS? Did you disable the www auto subdomain? If those don't find the issue, refer to the letsencrypt faq here in the forums for further troubleshooting.
  3. Fazzax

    Fazzax New Member


    thanks for the reply.
    Yes, is in DNS (same syntax as, and www auto subdomain is disabled.

    I checked, when I actually go to it's:
    - actually working even though I unchecked SSL and deleted it through the ssl tab
    - showing an invalid certificate in the tab (common name being and subject alternative name and

    It's the exact same for
    I checked the test and mail vhosts, no 443. I guess the SSL is enabled and looking at the wrong cert because of the

    Would you know how to remove the certs neatly and issue them again? Any ideas of what's happening?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see here to find out why the certs could not be issued:

    If your server is behind a router and the router blocks access to the domaisn from within the network, then you have to disable the LE check in ispconfig as the check is blocked by the router then and the cert will not be issued.
  5. Fazzax

    Fazzax New Member


    I did the following checks:
    - Check that you have Let’s Encrypt installed.
    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web.
    =>Not behind a router
    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    =>checked, everything is fine
    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    =>Apache/2.4.25 (Debian)
    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.
    =>Did a fresh install

    I've checked the letsencrypt logs, and no error appears in it.
    I followed the instructions to enter ISPConfig debug mode. I resynced everything, and it's stuck on 35 tasks to populate (nothing has changed for the last 15 minutes).

    Should I reboot?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you activate the root cronjob again after you finished debugging?

    and see post #4
  7. Fazzax

    Fazzax New Member

  8. Fazzax

    Fazzax New Member

    Ok, found the solution...

    I actually added a proxy before requesting the certs...
    Removed the directives, requested certs, added the directives and everything's fine!

    Thanks for the help
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to exclude the acme well-known url from being sent to your proxy, otherwise, the LE renewal will fail in 3 months.
  10. Fazzax

    Fazzax New Member

    Right! Thanks Till,

    added ProxyPass /.well-known/ ! before the proxy directives

Share This Page