diff --git a/scripts/70-nginx.sh b/scripts/70-nginx.sh
index 72424cc..b52f8f5 100644
--- a/scripts/70-nginx.sh
+++ b/scripts/70-nginx.sh
@@ -205,20 +205,41 @@ build_site_acme_only(){
   local host="$1" outfile="$2"
 
   cat > "$outfile" <<CONF
-# --- ${host} : ACME-only (für LE-HTTP-01) ---
+# --- ${host} : ACME-only (80 + 443), KEIN App-Root ---
 server {
   listen 80;
   listen [::]:80;
   server_name ${host};
 
-  # Nur Challenge-Dateien ausliefern
+  # HTTP-01 Challenge exakt ausliefern
   location ^~ /.well-known/acme-challenge/ {
     root ${ACME_ROOT};
-    allow all;
+    default_type "text/plain";
+    try_files \$uri =404;
+  }
+
+  # Alles andere → nach https
+  location / { return 301 https://\$host\$request_uri; }
+}
+
+server {
+  listen 443 ssl${NGINX_HTTP2_SUFFIX};
+  listen [::]:443 ssl${NGINX_HTTP2_SUFFIX};
+  server_name ${host};
+
+  ssl_certificate     /etc/ssl/mail/fullchain.pem;
+  ssl_certificate_key /etc/ssl/mail/privkey.pem;
+  ssl_protocols       TLSv1.2 TLSv1.3;
+
+  # Auch via https die Challenge bedienen (falls Redirects gefolgt werden)
+  location ^~ /.well-known/acme-challenge/ {
+    root ${ACME_ROOT};
+    default_type "text/plain";
+    try_files \$uri =404;
   }
 
   # Sonst nichts preisgeben
-  return 204;
+  location / { return 444; }
 }
 CONF
 }
@@ -228,21 +249,21 @@ MX_SITE="/etc/nginx/sites-available/mx-mailwolt.conf"
 UI_SITE="/etc/nginx/sites-available/ui-mailwolt.conf"
 WEBMAIL_SITE="/etc/nginx/sites-available/webmail-mailwolt.conf"
 
-build_site_acme_only "${MAIL_HOSTNAME}" "$MX_SITE"
-
-if [[ "${PROXY_MODE}" -eq 1 ]]; then
-  # Hinter NPM/Proxy: Backend nur HTTP:80 (keine Redirects, kein 443)
+# UI & Webmail wie gehabt …
+if [[ "${PROXY_MODE:-0}" -eq 1 ]]; then
   build_site_http_only "$UI_HOST"      "$UI_SITE"
   build_site_http_only "$WEBMAIL_HOST" "$WEBMAIL_SITE"
 else
-  # Live-Server: 80→443 + TLS vHosts
-  build_site_tls "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
-  build_site_tls "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
+  build_site_tls       "$UI_HOST"      "/etc/ssl/ui"      "$UI_SITE"
+  build_site_tls       "$WEBMAIL_HOST" "/etc/ssl/webmail" "$WEBMAIL_SITE"
 fi
 
-ln -sf "$MX_SITE" "/etc/nginx/sites-enabled/mx-mailwolt.conf"
-ln -sf "$UI_SITE"      "/etc/nginx/sites-enabled/ui-mailwolt.conf"
-ln -sf "$WEBMAIL_SITE" "/etc/nginx/sites-enabled/webmail-mailwolt.conf"
+# MX: **immer** ACME-only (kein Laravel dahinter)
+build_site_acme_only "${MAIL_HOSTNAME}" "$MX_SITE"
+
+ln -sf "$UI_SITE"      /etc/nginx/sites-enabled/ui-mailwolt.conf
+ln -sf "$WEBMAIL_SITE" /etc/nginx/sites-enabled/webmail-mailwolt.conf
+ln -sf "$MX_SITE"      /etc/nginx/sites-enabled/mx-mailwolt.conf
 
 # ── Real-IP nur, wenn Proxy davor ──────────────────────────────────────────
 if [[ "${PROXY_MODE}" -eq 1 && -n "${NPM_IP}" ]]; then
diff --git a/scripts/75-le-issue.sh b/scripts/75-le-issue.sh
index a2c2a85..1de7be7 100644
--- a/scripts/75-le-issue.sh
+++ b/scripts/75-le-issue.sh
@@ -3,29 +3,46 @@ set -euo pipefail
 source ./lib.sh
 
 ACME_WEBROOT="/var/www/letsencrypt"
+install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
+
+CERTBOT_EXTRA=()
+LE_STAGING="${LE_STAGING:-0}"  # 1 = Let's Encrypt Staging aktivieren
+[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
 
 resolve_ok() {
   local host="$1"
-  getent ahosts "$host" | awk '{print $1}' | sort -u | grep -q -F "$SERVER_PUBLIC_IPV4"
+  local pats=()
+  [[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
+  [[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
+  # Wenn gar nichts bekannt ist, lieber nicht blockieren:
+  [[ ${#pats[@]} -eq 0 ]] && return 0
+  getent ahosts "$host" | awk '{print $1}' | sort -u \
+    | grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
+}
+
+probe_http() {
+  local host="$1"
+  echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
+  curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
+  || curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
 }
 
 issue() {
   local host="$1"
   echo "[i] Versuche LE für ${host} …"
-  if ! resolve_ok "$host"; then
-    echo "[!] DNS zeigt (noch) nicht auf diese IP – überspringe: ${host}"
-    return 0
+  resolve_ok "$host" || { echo "[!] DNS zeigt (noch) nicht hierher – skip ${host}"; return 0; }
+
+  if ! probe_http "$host"; then
+    echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
   fi
 
-  # Für MX den Schlüssel beibehalten, damit TLSA (3 1 1) stabil bleibt
+  # MX: Key beibehalten (TLSA 3 1 1 bleibt stabil)
   EXTRA_ARGS=()
-  if [[ "$host" == "$MAIL_HOSTNAME" ]]; then
-    EXTRA_ARGS+=(--reuse-key)
-  fi
+  [[ "$host" == "$MAIL_HOSTNAME" ]] && EXTRA_ARGS+=(--reuse-key)
 
   certbot certonly --agree-tos -m "${LE_EMAIL:-admin@${BASE_DOMAIN}}" \
     --non-interactive --webroot -w "$ACME_WEBROOT" -d "$host" \
-    "${EXTRA_ARGS[@]}" || true
+    "${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
 }
 
 if [[ "$BASE_DOMAIN" != "example.com" ]]; then
@@ -33,10 +50,9 @@ if [[ "$BASE_DOMAIN" != "example.com" ]]; then
   issue "$WEBMAIL_HOST"
   issue "$MAIL_HOSTNAME"
 
-  # Nginx neu laden (Symlink-Hook verlinkt die neuen Zerts)
   systemctl reload nginx || true
 
-  # Direkt nach Erst-Ausstellung TLSA für MX einmal erzeugen
+  # TLSA direkt einmal schreiben (Hook macht es bei Renewals sowieso)
   MX_CERT="/etc/letsencrypt/live/${MAIL_HOSTNAME}/fullchain.pem"
   if [[ -s "$MX_CERT" ]]; then
     HASH="$(openssl x509 -in "$MX_CERT" -noout -pubkey \
@@ -48,5 +64,5 @@ if [[ "$BASE_DOMAIN" != "example.com" ]]; then
     echo "[TLSA] ${TLSA_LINE}"
   fi
 else
-  echo "[i] BASE_DOMAIN=example.com – LE-Ausstellung wird übersprungen."
+  echo "[i] BASE_DOMAIN=example.com – LE wird übersprungen."
 fi
\ No newline at end of file