Documentation

An SSL certificate for a domain has failed to renew

Check For Redirects

This is especially important if you're using a proxy CDN like CloudFlare.

The SSL certificate provisioning process ensures that each and every domain that you have linked to your project is able to respond with a predefined string when requested.

The string for each domain and subdomain is different. This means that if you have a redirect set up in a proxy CDN, redirecting traffic from www.test.com to test.com, an incorrect verification string will be returned because the wrong domain is being queried!

To prevent this from happening you can add a redirect exception for any URL paths beginning with .well-known.

In CloudFlare this might look like:

Because CloudFlare will only match against one PageRule, the match against .well-known will always take precedence over the redirect to the non-www domain, effectively creating a redirect exception.

(The rule to set the 'Cache Level' to 'Standard' is just to get the PageRule to save, it can be set to anything inconsequential.)