Fixing Let's Encrypt Renewal Issues with ISPConfig and Multi-Server Setups

Fixing Let's Encrypt Renewal Issues with ISPConfig and Multi-Server Setups

Table of Contents

The Problem: Automatic Renewal Fails for Control Panel Domain

When using Let’s Encrypt with ISPConfig on multi-server setups, you might encounter a situation where:

  • Certificates renew automatically for regular domains (like webmail.example.com)
  • Renewal fails for the control panel domain (controlpanel.example.com)
  • The only workaround is stopping Apache and using standalone mode:
systemctl stop apache2
certbot renew --standalone
systemctl start apache2

Root Cause Analysis

The issue typically occurs because:

  • Redirect Conflicts: The control panel domain redirects to the webmail domain.
  • Authentication Method Mismatch:
    • webmail.example.com uses webroot authentication.
    • controlpanel.example.com is configured for standalone authentication.
  • ACME Validation Failure: Let’s Encrypt can’t validate the domain when it gets redirected.

The Solution: Proper VirtualHost Configuration

Step 1: Create a Dedicated VirtualHost

cp /etc/apache2/sites-available/webmail.example.com.conf \
   /etc/apache2/sites-available/controlpanel.example.com.conf

Edit the new configuration file:

<VirtualHost *:80>
    ServerName controlpanel.example.com
    DocumentRoot /var/www/clients/client1/web1/web

    # Remove any redirect rules

    # Ensure this exists for ACME challenges:
    <Directory "/var/www/clients/client1/web1/web/.well-known/acme-challenge">
        Allow from all
    </Directory>
</VirtualHost>

Step 2: Enable the Site

a2ensite controlpanel.example.com
systemctl reload apache2

Step 3: Update Let’s Encrypt Configuration

Edit the renewal config file:

nano /etc/letsencrypt/renewal/controlpanel.example.com.conf

Update these values:

authenticator = webroot
webroot_path = /var/www/clients/client1/web1/web

Step 4: Test the Configuration

Verify the domain responds correctly:

curl -v http://controlpanel.example.com/.well-known/acme-challenge/test

Perform a dry run:

certbot renew --dry-run

ISPConfig-Specific Recommendations

If you’re using ISPConfig:

  • ✅ Create the site properly in the panel rather than manually editing configs.
  • ✅ Verify document root paths match your webroot configuration.
  • ✅ Disable automatic redirects in the domain settings.
  • ✅ Check DNS settings to ensure proper resolution.

Final Verification

After implementing these changes:

  • ✅ Automatic renewals should work without stopping Apache
  • ✅ Both controlpanel.example.com and webmail.example.com will maintain valid certificates
  • ✅ All services remain accessible during renewal

Remember to monitor your next scheduled renewal to confirm the fix works properly.

Share :

Related Posts

How to Use CI/CD to Improve Your Workflow

How to Use CI/CD to Improve Your Workflow

In today’s fast-paced development world, manual deployments are not only time-consuming but also error-prone. Whether you’re a freelancer, a small agency, or managing internal tools, CI/CD (Continuous Integration & Deployment) can dramatically improve how you build, test, and ship software.

Read More
Understanding Kubernetes: When and Why to Adopt It

Understanding Kubernetes: When and Why to Adopt It

Kubernetes (often abbreviated as K8s) has become the de facto standard for orchestrating containerized workloads. But while it offers powerful scalability, fault tolerance, and automation, it isn’t always the best first step for every project.

Read More
Why You Should Move Your Laravel App to Docker

Why You Should Move Your Laravel App to Docker

If you’re maintaining a Laravel app — whether it’s a startup MVP, a custom-built admin panel, or a full-featured SaaS product — Docker should be part of your toolchain.

Read More