I’m leaving this here in case someone else made the simple mistake I did.
I hit the letsencrypt limit and temporarily used a redirect from http to www. I have a multisite and without valid SSL, subdomains route to the main site.
Then I forgot about it.
In my case, the redirect was why letsencrypt couldn’t verify my domain (yes, I felt stupid)
Since this thread is becoming THE reference for letsencrypt renewal problems thread with virtualmin on google, I’ll mention two other cases I had on the dedi on which I host websites for a fair number of friends or relatives.
First case, already documented here, an .htaccess that wasn’t allowing to access something located within a ./well-known/something/stuff/whatever subdirectory starting with a dot. Honestly no idea what part of the .htacess wasn’t allowing it, all I know is that temporarily removing the htacess (renaming) allowed letsencrypt to do its stuff. Still, worth an email to the owner of the website, he’ll have to get his .htaccess fixed within the next 3 months.
Second case, Apache unable to restart, which prevented the reloading of the configuration files required for the conclusion of a letsencrypt renewal. That was a problem unrelated to letsencrypt, the kind of oddball bug that may happen in very random circumstances ( https://www.virtualmin.com/node/64984 ). But whatever, in other people’s cases, keep in mind Apache may be running perfectly well, but might still be unable to be reloaded. So, just in case, try a service apache2 restart, and if it doesn’t fly (don’t worry, the system checks first if apache would manage to restart, if it can’t, it doesn’t allow apache to shut down at all), you have an explanation.
I solved this by disabling configserver then performing the update or request and everything appears to work normally.
I would like to know how to configure Configserver so I don’t have to disable it at all
I went through all mentioned solutions here however, when I manually created .well-known and .well-known/acme-challenge folders (with owner of domain permissions), then it was able to request cert. My understanding that it is not able to create those folders and hence not able to create verification file in it.
For me, it was a problem with the nginx configuration for the site, after I changed it for Wordpress / url rewriting. Solution was to add a location match for .well-known/.
See this answer here: https://stackoverflow.com/a/58854557/1451903
Edit: apologies, I thought the original issue was a 403, not a 404. My answer relates to a 403 error.