I ran this command:
certbot renew --dry-run
original command to request cert was:
certbot certonly --webroot -w /var/www/html -d dstream.tiemann.support
It produced this output: certbot renew logs
My web server is (include version):
pihole
The operating system my web server runs on is (include version):
debian/pi
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0
Your sample output shows the http challenge was redirected from HTTP to HTTPS (notice the https url in the error message). That is fine but right now I cannot connect to your server using port 80. All http challenges start with an http request. Let's Encrypt recommends keeping port 80 open.
The http 404 error in your sample output usually means the webroot path folder is not the same as the document root folder your server uses. I don't know pihole so not sure how you specify that.
How does your lighttpd fit in? Do you proxy requests from pi-hole to lighttpd?
The request from Let's Encrypt to check your domain has a format like this. You redirect that to HTTPS. It would be better if you did not redirect and simply had your HTTP (port 80) server respond with the proper value. But, redirecting should work too.
curl -Ik http://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
HTTP/1.1 301 Moved Permanently
Location: https://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
Date: Wed, 22 Jun 2022 13:54:40 GMT
Server: lighttpd/1.4.59
When I then try the new location I get a 404 Not Found. Which is expected because ForumTest123 does not exist on your server. But, usually I would see Server: lighttpd header like with the first request. If you make these requests do you see them both in your lighttpd server logs?
curl -Ik https://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
HTTP/1.1 404 Not found
Content-length: 50
Connection: close
If lighttpd should be responding, is the server.document-root value /var/www/html as you used in the -w option?
Also note, the cert returned from your dstream domain is not expired. It was issued on Jun11 but is for a domain name of tunnel.tiemann.support