I have done the following local tests and verifications:
During renewal i left the following script running in a separate console:
while true; do [ 0`ls /var/www/challenges | wc -l` -gt 0 ] && ls -laZ /var/www/challenges ; done
This confirmed the succesful creation of above file as:
-rw-r–r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo
The file was automatically deleted after acme_renew finished.
I have recreated a text file in the same spot with the same permissions (unix&selinux) which can access using the advertised URL as per the log entry.
I can see my access attempts in apache access log, but no other while the page is accessible through the internet and DNS only advertises 1 single IPv4 and no IPv6 addresses.
So i see no possibility to solve the problem on my end.
Suggestion for self service support: providing a tool on letsencrypt site that indicates “How we see you” that reports DNS and other possible information after presenting a hostname.
Is the output of the acme_renew script indicating to me that letsencrypt services were not able to do that download of the token. However, i do not see an attempt in apache access log, so must assume, such GET by letsencrypt was not arriving at the server.
@bytecamp you were right. The message was not referring an external trial.
It appears acme_tiny first does a local attempt in addition, prior to trying letsencrypt. Adding an entry to hoists for the apache virutal host did make it complete successfully and renew the certificate. So acme_tiny protected me from a problem i didnt have without it