Since you’ve issued certificate(s) for those names recently, Let’s Encrypt probably remembers that it’s valid, and doesn’t actually try to validate it again. (It currently remembers authorizations for 60 days, a number which will probably change in the future.)
… but when you use
--dry-run, if you haven’t recently issued any other staging certificates for those names, it won’t remember and will validate them. (The staging server has a totally separate database of authorizations.)
And, obviously, validation fails.
http://minecraft.klippenstein.org/.well-known/acme-challenge/ and http://philip.klippenstein.org/.well-known/acme-challenge/ both redirect to https://minecraft.klippenstein.org.well-known/acme-challenge/, an URL with an obviously invalid domain name. You can see for yourself with a web browser or something like
it sounds like there’s a missing “
/” in your web server configuration. For example, maybe it has “
Redirect / https://minecraft.klippenstein.org” where it should be “
Redirect / https://minecraft.klippenstein.org/”.
(You could also exclude
/.well-known/acme-challenge/ from the redirect, if you want. But i don’t know how to do that in Apache off hand.)
--dry-run, you’ve issued 3 identical certificates in the last couple days. If you keep doing that you’ll start running into the rate limits. If you’re testing things, you should make more use of
--dry-run in the future.