Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
My issue is odd. I'm not running Let's Encrypt any more but I continue to get mysterious GET commands such as this:
Not from Let's Encrypt anyway. The log entry clearly states "SSLMate-certmgr-DCV".
The weird thing is, is that there is no reason to start the path of such an ACME-like validation request with the hostname of the site.. I.e., the request should be GET /.well-known/... and notGET /flystore.net/.well-known/....
Anyway, not Let's Encrypt, perhaps you should ask SSLMate.
Also from this IPv6 address. And, also from an EC2 instance in AWS.
It looks like someone is using SSLmate to get a cert for your domain. And, it tries repeatedly when it fails. Those GET requests look like an ACME client doing a pre-validation test before submitting the actual request to the Certificate Authority (like Let's Encrypt).
There is nothing we can do to stop those requests. You should try contacting SSLMate.
But, the pattern still looks like an actual ACME client rather than a random bot. Perhaps the client is just misconfigured but could be outright faulty.
I say this because there are 4 requests using two IPv4 and two IPv6 source IPs. And, the DNS for that domain happens to have 4 IP addresses (2 for IPv4 and two IPv6, Cloudflare actually). So, it looks like one (faulty) request per DNS IP address.
And, there are two groupings of 4 requests. Each group has its own token value that stays consistent within that group.
This leads me to believe it was something explicitly setup for this domain.
I also agree with you that SSLmate is best place to ask
The requests can't be blocked/stopped from the receiving end.
They can only be denied.
To which, your .htaccess has done its' job: The 404 replies are now 403.
I do see that the requested file does change, so that implies an active client making new requests [daily].
Although the presence of "/flystore.net/" in the request in rather odd, it can be due to some URL redirection within those external systems. Perhaps at some point in time you hosted your domain elsewhere (and they haven't turned it off) ???