–This is more of an “FYI / For Reference post, in the hopes I can save others time/hair pulling.–
This is a problem I’ve run in to with our SimpleHelp host, “behind” a branded “Untangle” or “Arista” firewall appliance.
Recently I had a failure to renew/re-apply a Let’s Encrypt certificate. Thanks to Chris@Support here, we found that external global IP addresses were being blocked on the way “In” to our server causing the renewal to fail.
If others should find they’re also having this problem, the “Untangle” branded application to blame was “Threat Prevention”. Completely disabling the app and retrying solved our problem and the cert renewed (re-applied) worked with no further issue.
With luck the “pass” rule for incoming traffic I’ve set will help us in the future as well, but if you’re stuck with failed renewal for a Let’s encrypt cert and REALLY want it fixed NOW like I did, turn “Threat Prevention” off temporarily.