LetsEncrypt and WAF on Real Server

UTM 9.705-7

No problem getting & renewing a LE cert in UTM's Certificate Management.  Works great, lasts a long time ;)

Having a problem renewing my LE cert on the real web server behind WAF.

The virt profile for my real server is configured - Type: Encrypted (HTTPS) & redirect.

My LE log shows that when it does the http portion of the challenge 

"url": "http://mydomain.com/.well-known/acme-challenge/XcPCjsRjZk__ATxYfZ_a24Yt-VFKey30cRS2recVpsL1GP2iTg"
it fails with an invalid response.

My workaround is to enable a NAT rule on port 80 to my real server and then manually run the certbot renew on my real server.

For what it matters, my real server is a LEMP stack.

Is "Encrypted (HTTPS) & redirect" incompatible with LE renewals?  (aka anyone else having this issue?)

Do I need to setup a separate profile for http to my real server?

Is this covered somewhere and I just don't know the right search terms?

My goal is to have my real server auto renew on it's own fully behind WAF.