Let's encrypt: Error challenge is invalid

Question

I'm trying to get a LE certificate for 2 domainnames that both point to the same IP-address (which is the same UTM on it's external interface). 
 However cert doesn't get generated, see log for errors (I have partly obfuscated the domainnames and my IP-address): 
 
 2018:09:26-14:54:02 firewall letsencrypt[9407]: I Renew certificate: handling CSR REF_CaCsrLetsEncryUtm for domain set [firewall.****s.eu,utm.****s.eu] 2018:09:26-14:54:02 firewall letsencrypt[9407]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain firewall.****s.eu --domain utm.****s.eu 2018:09:26-14:54:08 firewall letsencrypt[9407]: I Renew certificate: command completed with exit code 256 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: { 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "type": "http-01", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "status": "invalid", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "error": { 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "type": "urn:acme:error:unauthorized", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "detail": "Invalid response from firewall.****s.eu/.../TNi4gpGYdTnXumYHVFQIjuEw0f1wweFhNbEfIceKr38: q%!(EXTRA string=\u003c!DOCTYPE html\u003e
\u003chtml\u003e
\u003chead\u003e
\u003cmeta charset=\"utf-8\"\u003e
\u003cstyle\u003ebody{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig)", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "status": 403 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: }, 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "uri": " acme-v01.api.letsencrypt.org/.../7689019129", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "token": "TNi4gpGYdTnXumYHVFQIjuEw0f1wweFhNbEfIceKr38", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "validationRecord": [ 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: { 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "url": " firewall.****s.eu/.../TNi4gpGYdTnXumYHVFQIjuEw0f1wweFhNbEfIceKr38", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "hostname": "firewall.****s.eu", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "port": "80", 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "addressesResolved": [ 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "84.*.*.89" 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: ], 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: "addressUsed": "84.*.*.89" 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: } 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: ] 2018:09:26-14:54:08 firewall letsencrypt[9407]: E Renew certificate: COMMAND_FAILED: }) 2018:09:26-14:54:08 firewall letsencrypt[9407]: I Renew certificate: sending notification WARN-603 2018:09:26-14:54:08 firewall letsencrypt[9407]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service 2018:09:26-14:54:08 firewall letsencrypt[9407]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

apijnappels · Accepted Answer

Found the reason... There was still an active DNAT directly connecting http and https to an inside webserver (also doing Let's Encrypt). 
 When I disabled the DNAT rule the renew worked as it should. Should have seen that coming, by bad.