On a FreePBX 16.0.26 system, I happened to notice today that a Let’s Encrypt certificate would expire in 3 days. A CNAME is pointed at the system and set as an alternative name in the Let’s Encrypt certificate configuration. There was a certificate renewal error in the dashboard, and looking into it, the problem appeared to be with accessing a challenge through the CNAME hostname. I had mistakenly entered the FQDN of the target host for the CNAME record value. For the DNS service in question, I needed to enter only the hostname (e.g. siphost), and the domain is automatically appended. So the incorrect CNAME record value was something like siphost.example.com.example.com. instead of siphost.example.com. After correcting the CNAME record, allowing time for propagation, and even rebooting the FreePBX system a couple times, the certificate was still not renewed automatically. I ended up doing:
fwconsole cert --updateall --force
…and the Let’s Encrypt certificate updated successfully. I would like to have some assurance that future Let’s Encrypt certificate renewal will happen automatically/transparently, or at least a way to check on renewal (attempt) status. Is renewal (attempt | success/failure) process logged somewhere? I don’t see a Let’s Encrypt specific log in /var/log, or Let’s Encrypt entries in /var/log/messages, etc.
As a side note, I found it curious that successful certificate renewal is flagged as a critical issue…!? 
