Fixing Let's Encrypt Renewal Issues with ISPConfig and Multi-Server Setups

Fixing Let's Encrypt Renewal Issues with ISPConfig and Multi-Server Setups

Table of Contents

The Problem: Automatic Renewal Fails for Control Panel Domain

When using Let’s Encrypt with ISPConfig on multi-server setups, you might encounter a situation where:

  • Certificates renew automatically for regular domains (like webmail.example.com)
  • Renewal fails for the control panel domain (controlpanel.example.com)
  • The only workaround is stopping Apache and using standalone mode:
systemctl stop apache2
certbot renew --standalone
systemctl start apache2

Root Cause Analysis

The issue typically occurs because:

  • Redirect Conflicts: The control panel domain redirects to the webmail domain.
  • Authentication Method Mismatch:
    • webmail.example.com uses webroot authentication.
    • controlpanel.example.com is configured for standalone authentication.
  • ACME Validation Failure: Let’s Encrypt can’t validate the domain when it gets redirected.

The Solution: Proper VirtualHost Configuration

Step 1: Create a Dedicated VirtualHost

cp /etc/apache2/sites-available/webmail.example.com.conf \
   /etc/apache2/sites-available/controlpanel.example.com.conf

Edit the new configuration file:

<VirtualHost *:80>
    ServerName controlpanel.example.com
    DocumentRoot /var/www/clients/client1/web1/web

    # Remove any redirect rules

    # Ensure this exists for ACME challenges:
    <Directory "/var/www/clients/client1/web1/web/.well-known/acme-challenge">
        Allow from all
    </Directory>
</VirtualHost>

Step 2: Enable the Site

a2ensite controlpanel.example.com
systemctl reload apache2

Step 3: Update Let’s Encrypt Configuration

Edit the renewal config file:

nano /etc/letsencrypt/renewal/controlpanel.example.com.conf

Update these values:

authenticator = webroot
webroot_path = /var/www/clients/client1/web1/web

Step 4: Test the Configuration

Verify the domain responds correctly:

curl -v http://controlpanel.example.com/.well-known/acme-challenge/test

Perform a dry run:

certbot renew --dry-run

ISPConfig-Specific Recommendations

If you’re using ISPConfig:

  • ✅ Create the site properly in the panel rather than manually editing configs.
  • ✅ Verify document root paths match your webroot configuration.
  • ✅ Disable automatic redirects in the domain settings.
  • ✅ Check DNS settings to ensure proper resolution.

Final Verification

After implementing these changes:

  • ✅ Automatic renewals should work without stopping Apache
  • ✅ Both controlpanel.example.com and webmail.example.com will maintain valid certificates
  • ✅ All services remain accessible during renewal

Remember to monitor your next scheduled renewal to confirm the fix works properly.

Tags :
Share :