An SSL certificate for a domain has failed to renew
Check For Redirects
This is especially important if you're using a proxy CDN like CloudFlare.
The SSL certificate provisioning process ensures that each and every domain that you have linked to your project is able to respond with a predefined string when requested.
The string for each domain and subdomain is different. This means that if you have a redirect set up in a proxy CDN, redirecting traffic from www.test.com to test.com, an incorrect verification string will be returned because the wrong domain is being queried!
To prevent this from happening you can add a redirect exception for any URL paths beginning with .well-known.
In CloudFlare this might look like:
Because CloudFlare will only match against one PageRule, the match against .well-known will always take precedence over the redirect to the non-www domain, effectively creating a redirect exception.
(The rule to set the 'Cache Level' to 'Standard' is just to get the PageRule to save, it can be set to anything inconsequential.)