Let's encrypt renew failing

SYSTEM INFORMATION
**OS type and version:CENTOS 8
**Webmin version:1.981
**Virtualmin version:6.17
Related products version: RECOMMENDED

I have several domains where let’s encrypt certs were able to auto-renew but one subdomain is failing validation. I am only supporting https (firewall is blocking port 80). The logs look like they are looking for the validation using http. However, I don’t understand how the other domains were able to renew.

Here is an excerpt of a working domain from httpd.conf. I have no port 80 VirtualHosts

<VirtualHost xxx.xxx.xxx.xxx:443>
    SuexecUserGroup "#1005" "#1004"
    ServerName domain1.com
    ServerAlias www.domain1.com
    ServerAlias mail.domain1.com
    ServerAlias webmail.domain1.com
    ServerAlias admin.domain1.com
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    DocumentRoot /home/domain1.com/public_html
    ErrorLog /var/log/virtualmin/domain1.com_error_log
    CustomLog /var/log/virtualmin/domain1.com_access_log combined
    ScriptAlias /cgi-bin/ /home/domain1.com/cgi-bin/
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/domain1.com/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    <Directory /home/domain1.com/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.domain1.com
    RewriteRule ^(?!/.well-known)(.*) https://domain1.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.domain1.com
    RewriteRule ^(?!/.well-known)(.*) https://domain1.com:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.2
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8002
</FilesMatch>
SSLEngine on
SSLCertificateFile /home/domain1.com/ssl.cert
SSLCertificateKeyFile /home/domain1.com/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/domain1.com/ssl.ca
</VirtualHost>

Here is an excerpt of the nonworking domain. This domain is a little different in that it is setup to be handled using flask. How do I carve out an exception to allow the ssl renewal. When I initially set this up, the virtual host was setup like above and I got the let’s encrypt cert. THEN, I setup the application using flask but everything was working until the cert expired.:

<VirtualHost xxx.xxx.xxx.xxx:443>
    ServerName sub.domain2.com
    #DocumentRoot /home/domain2/domains/sub.domain2.com/public_html
    ErrorLog /var/log/virtualmin/sub.domain2.com_error_log
    CustomLog /var/log/virtualmin/sub.domain2.com_access_log combined
    WSGIDaemonProcess pythonproj python-home=/home/domain2/domains/sub.domain2.com/pythonproj/venv
    WSGIScriptAlias / /home/domain2/domains/sub.domain2.com/pythonproj/pythonproj.wsgi
    WSGIProcessGroup pythonproj
    WSGIApplicationGroup %{GLOBAL}
    #DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    #<Directory /home/domain2/domains/sub.domain2.com/public_html>
    #Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
    #allow from all
    #AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #Require all granted
    #</Directory>
    #<Directory /home/domain2/domains/sub.domain2.com/cgi-bin>
    #allow from all
    #AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    #Require all granted
    #</Directory>
    <Directory /home/domain2/domains/sub.domain2.com/pythonproj>
    Options -Indexes
    Order deny,allow
    Require all granted
    </Directory>
    RewriteEngine on
    #RewriteCond %{HTTP_HOST} =webmail.sub.domain2.com
    #RewriteRule ^(?!/.well-known)(.*) https://sub.domain2.com:20000/ [R]
    #RewriteCond %{HTTP_HOST} =admin.sub.domain2.com
    #RewriteRule ^(?!/.well-known)(.*) https://sub.domain2.com:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.2
<FilesMatch \.php$>
    SetHandler proxy:fcgi://localhost:8004
</FilesMatch>
SSLEngine on
SSLCertificateFile /home/domain2/domains/sub.domain2.com/ssl.cert
SSLCertificateKeyFile /home/domain2/domains/sub.domain2.com/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/domain2/domains/sub.domain2.com/ssl.ca
</VirtualHost>