Let’s Encrypt Error FAQ

Discussion in 'General' started by till, Oct 5, 2016.

Thread Status:
Not open for further replies.
  1. till

    till Super Moderator Staff Member ISPConfig Developer

    There are many threads that deal with problems to generate SSL certificates with Let’s Encrypt so I start a FAQ here.

    Why does Letsencrypt does not create an SSL cert

    Let’s Encrypt verifies your server by downloading an individual token from each domain of the website, including auto-subdomains, subdomains, and aliasdomains. If one of these domains and subdomains is unreachable (no DNS, wrong DNS etc) then letsencrypt will refuse to create the SSL cert.

    Why does the Let’s Encrypt in ISPConfig get disabled automatically?

    When the creation of the SSL certificate trough Let’s Encrypt fails, then the Let’s Encrypt gets disabled in ISPConfig.

    What can I do if SSL certificate creation with Let’s Encrypt fails?

    - Check that you have Let’s Encrypt (certbot) installed. ISPConfig 3.1.16 and newer will also support acme.sh as client.
    - Check that the Let's encrypt client 'certbot' is updated (when using certbot).
    - Check that you run the latest ISPConfig version.
    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web.
    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.

    Where do I find detailed error messages?

    You can find the log files here when using certbot: /var/log/letsencrypt
    or here: /root/.acme.sh/acme.sh.log when using acme.sh

    What if the above steps don't help?

    Then use the ISPConfig debug mode to find out what the reason for the failure is:

    Last edited: Jan 24, 2021
    Fire Fox, HenrysCat, Th0m and 7 others like this.
Thread Status:
Not open for further replies.

Share This Page