Note: This doesn’t have to do with being a public suffix or not. Any site that sends the
preload flag on an HSTS header may be added to the Google or Mozilla preload list at any time by any person.
Ah, this might be due to the latest version of Certbot using the
http-01 challenge. It’s possible that this domain name never accepted port 80 requests, but that wasn’t previously an issue because Certbot would use the
tls-sni-01 challenge on port 443. That might explain why nextcloudpi failed to renew recently, if it was updating its Certbot install.
@verduron, can you tell us more about what nextcloudpi uses under the hood? And when you regain access, can you share some logs of the latest renewal attempt?