Hello @roger2,
From this Permanent link to this check report I believe that you have Geo Blocking going on.
Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt
Please see:
Edit
However Let's Debug yields results of "OK" here https://letsdebug.net/zeezicht-oostende.be/2449062
And it seem server: Apache
$ curl -Ii http://zeezicht-oostende.be/.well-known/acme-challenge/IsCBy648arUtLmSddFx9M4Z2OD7BGAd84gUK03Jo_wx -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
date: Fri, 16 May 2025 21:17:15 GMT
content-type: text/html; charset=iso-8859-1
alt-svc: h3=":443";ma=180;
server: Apache
And here the certificate has subject: CN=*.zxcs.be
that causes this error curl: (60) SSL: no alternative certificate subject name matches target host name 'zeezicht-oostende.be'
$ curl -k -vv -Ii https://zeezicht-oostende.be
* Host zeezicht-oostende.be:443 was resolved.
* IPv6: 2a06:2ec0:1:e::164
* IPv4: 185.220.172.65
* Trying 185.220.172.65:443...
* Connected to zeezicht-oostende.be (185.220.172.65) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.zxcs.be
* start date: Jul 8 00:00:00 2024 GMT
* expire date: Jul 22 23:59:59 2025 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://zeezicht-oostende.be/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: zeezicht-oostende.be]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> HEAD / HTTP/2
> Host: zeezicht-oostende.be
> User-Agent: curl/8.5.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 403
HTTP/2 403
< date: Fri, 16 May 2025 21:23:33 GMT
date: Fri, 16 May 2025 21:23:33 GMT
< content-type: text/html; charset=iso-8859-1
content-type: text/html; charset=iso-8859-1
< alt-svc: h3=":443";ma=180;
alt-svc: h3=":443";ma=180;
< server: Apache
server: Apache
<
* Connection #0 to host zeezicht-oostende.be left intact
Have you restarted Apache after retrieving and installing the issued certificate?
Please show the output of this command. sudo apachectl -t -D DUMP_VHOSTS