ISPConfig makes it difficult to send an e-mail to be interpreted by the local server. All e-mail addresses are handled by the information in the database. In order to do this, you need to create an alias to an e-mail alias on localhost.

1. In ISPConfig, create a forwarder something@example.com, pointing to something@localhost
2. From the server CLI, open /etc/aliases and add an alias like:

   something "|/full/path/to/script parameter parameter"

3. Run

   newaliases ; service postfix reload

At this point, anything sent to something@localhost will be executed on the server by the command /full/path/to/script

This is old, as ISPConfig v3.3 or something fixed most of these problems, and you can install your certs during installation

ISPConfig3 has support for using Certbot with its web sites. However, it is more difficult to get the certbot to work with your mail/ftp/whatever, including the control panel. User ahrasis wrote a very nice article on this. Actually, he says it best, so I'll leave it up to him

https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

This one drove me up a tree, and used several hours of my time, but I finally got it fixed after reading https://www.niih.de/fixed-warning-could-not-verify-domain-so-excluding-it-from-letsencrypt-request/.

Bottom line: ISPConfig v2.9, I think, does some checking on the ability to reach a web site before requesting a Certbot SSL certificate. This is still a little flaky in this version, and various things can make it fail (behind a DMZ, split DNS).

Simply go to System | Server Config | {server name} | Web | SSL Settings and put a check mark in “Skip Lets Encrypt Check”

ISPConfig will work with /var/www on an NFS share, but you should do a couple of things first. Go to

System | Server Config | {server name} | Web

* Put a check mark in Network Filesystem * Uncheck Make web folders immutable (click Permissions) to disable extended attributes that many network file systems won't handle.

More and more, ISPConfig is moving to acme.sh vs the older certbot to manage LetsEncrypt SSL certificates. I really like it because it appears to be much cleaner.

Till Brehm, one of the developers over at ISPConfig made a quick note for people who accidentally have certbot installed prior to the ISPConfig installation. ISPConfig will attempt to detect if this is the case and simply fall back to using it.

I already had a broken system, so I decided to see if I could use what he said to move my system over from certbot to acme.sh, and it worked (kinda'). I missed a couple of steps and broke my server pretty well, but was able to recover.

Tills comments (at https://forum.howtoforge.com/threads/acme-sh-on-new-install.86553/), give an order to fixing a new installation (before you have any sites), but I modified it to work with an already populated one. NOTE: your web sites will be down, or not available over https, for a while if you do this.

1. Go through every web site and disable SSL
2. Remove Configuration

   mv /etc/letsencypt /etc/letsencrypt.disabled

3. Remove certbot

   mv /opt/certbot /opt/certbot.disabled # may be called other things

   OR, if you installed from a package manager, simply uninstall it.

4. Install the acme.sh code

   curl https://get.acme.sh | sh -s

5. Reconfigure ispconfig

   ispconfig_update.sh --force

6. Go through every web site and enable LetsEncrypt SSL

Step 3 is difficult, as cerbot has been installed in various places at various times, so it could be called anything. Normally, if not part of a package manager installation, it is in /opt.'

The last line will reconfigure ispconfig. All you really care about (maybe) is generating a new certificate for the control panel, mail server and ftp.