Is it possible to provide the name of the actual certificate requested?
The [ip] only contains an IPv6 privacy address which has already rotated, so I don’t have any idea of which computer this could have come from to update… could have been any of a number of PCs running various versions of software.
Even the time of the last request would be helpful…