It produced this output:
Checking / creating certificate for isp3.bping.de
Using certificate path /etc/letsencrypt/live/isp3.bping.de
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/isp3.bping.de
[Do 25. Jul 17:31:19 CEST 2024] isp3.bping.de: Invalid status. Verification error details: During secondary validation: DNS problem: SERVFAIL look ing up CAA for isp3.bping.de - the domain's nameservers may be malfunctioning
[Do 25. Jul 17:31:19 CEST 2024] Please check log file for more details: /var/log/ispconfig/acme.log
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
My web server is (include version): Apache/2.4.61 (Debian)
The operating system my web server runs on is (include version): Debian 12
My hosting provider, if applicable, is: Hetzner
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ispconfig 3.2.12
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh --version
v3.0.8
After I messed up my Ispconfig installtion I tried to renew my certificate. I already added a CAA entry, but this does not help.
You need your domain name working first before you can get a certificate. The CAA record itself or lack thereof probably isn't a problem (having no record is fine, but adding one can help increase the security of your domain), but in order to check it Let's Encrypt has to contact your DNS server and right now it's getting different answers from different places about where to check, some of which aren't right.
Thank you very much.
I had two NS records for the domain bping.de (piers.ns.cloudflare.com & lia.ns.cloudflare.com). I don't remember why I added them, but it was working for years with this setup. I removed those 2 entries 48 hours ago. So I don't get why ns01.v-dns.de is still listing them. But I assume time will solve my problem now.