There was a recent thread about this:
(Though it's long and I haven't reread it!)
The issue is:
- Your website redirects from HTTP to HTTPS. (This is fine!)
- The ACME client, acme-tiny, makes its own HTTP request to your website to check if the validation works.
- This request requires a valid certificate. (Even though Let's Encrypt's validation system ironically doesn't.)
- acme-tiny has an option to disable the check; Webmin doesn't use it.
- The website's current certificate is expired.
I think the very long thread suggests some workarounds.
Edit:
Warning: that thread also discusses at least one unrelated issue. You can ignore parts of it.
There's a pull request to disable certificate validation for the check, but it wasn't merged: