Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Not from the public internet. Something else may be blocking it then. Maybe something in your hosting settings?
Try a mobile phone with wifi disabled to use the carrier's network. See if this works: http://bestfedcats.com
I am pretty sure it won't. Let's Debug can't see your server nor can Let's Encrypt (nor my own test server).
Discovered that inbound rules on control panel didn't include port 80
After adding the rule I was able to renew the domain cert but the subdomain cert again failed with the same error.
Is this because of the Nginx redirect using return 301?
Which subdomain? Because your www subdomain does not timeout for me. Although it doesn't behave exactly like your root domain so the nginx config may need some adjustment. Do you have both names in the server_name setting?
# www redirects HTTP Challenge to HTTPS
curl -I -m8 http://www.bestfedcats.com/.well-known/acme-challenge/Test404
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Location: https://bestfedcats.com/.well-known/acme-challenge/Test404
# base domain does not redirect
curl -I -m8 http://bestfedcats.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)