diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 688fd32a834cb0c2566a287f3efc10644aaa24f0..dabbfd6d79eb99dda39b2303e90d84b48b5c113f 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -3023,6 +3023,9 @@ class installer_base {
 
 				swriteln('acme.sh is installed, overriding certificate path to use ' . $acme_cert_dir);
 
+				# acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015)
+				$old_umask = umask(0022);
+
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
@@ -3044,6 +3047,7 @@ class installer_base {
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
 					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
 					$issued_successfully = true;
+					umask($old_umask);
 
 					// Make temporary backup of self-signed certs permanent
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
@@ -3056,6 +3060,8 @@ class installer_base {
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 
+					umask($old_umask);
+
 					// Restore temporary backup of self-signed certs
 					if(file_exists($ssl_crt_file.'-temporary.bak') || is_link($ssl_crt_file.'-temporary.bak'))
 						rename($ssl_crt_file.'-temporary.bak', $ssl_crt_file);
diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php
index a118d55769941f386311885cfecc86c02f903de4..a2e6a5c380144ecc864259b5dc149169eff4d10d 100644
--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -317,8 +317,15 @@ class letsencrypt {
 		if($this->get_acme_script()) {
 			$use_acme = true;
 		} elseif(!$this->get_certbot_script()) {
+			$app->log("Unable to find Let's Encrypt client, installing acme.sh.", LOGLEVEL_DEBUG);
 			// acme and le missing
 			$this->install_acme();
+			if($this->get_acme_script()) {
+				$use_acme = true;
+			} else {
+				$app->log("Unable to install acme.sh.  Cannot proceed, no Let's Encrypt client found.", LOGLEVEL_WARN);
+				return false;
+			}
 		}
 
 		$tmp = $app->letsencrypt->get_website_certificate_paths($data);
@@ -399,11 +406,13 @@ class letsencrypt {
 		$this->certbot_use_certcommand = false;
 		$letsencrypt_cmd = '';
 		$allow_return_codes = null;
+		$old_umask = umask(0022);  # work around acme.sh permission bug, see #6015
 		if($use_acme) {
 			$letsencrypt_cmd = $this->get_acme_command($temp_domains, $key_file, $bundle_file, $crt_file, $server_type);
 			$allow_return_codes = array(2);
 		} else {
 			$letsencrypt_cmd = $this->get_certbot_command($temp_domains);
+			umask($old_umask);
 		}
 
 		$success = false;
@@ -420,6 +429,7 @@ class letsencrypt {
 		}
 
 		if($use_acme === true) {
+			umask($old_umask);
 			if(!$success) {
 				$app->log('Let\'s Encrypt SSL Cert for: ' . $domain . ' could not be issued.', LOGLEVEL_WARN);
 				$app->log($letsencrypt_cmd, LOGLEVEL_WARN);