Mail SSL cert failed to update ... and solution

Hi all.
I have a server that’s been running quite happily updating its certs for the last couple of years. This cycle the mail SSL cert failed to update, and started sending me errors. “Invalid response from https://mail.mydomain.com 401”
I logged in and tried a manual renew, but the same thing happened. I checked with letsdebug.com, which reported no problems, and pulled the .well-known URL out of the LE logfile in /var/log/hestia/ and tested that, which worked fine. Strange.
So after a lot of fiddling, it seems that the culprit was Cloudflare. The https://webmail.mydomain.com/ subdomain had proxy enabled (mail.mydomain.com did not). This was somehow causing a redirect that broke the update process. TLDR: make sure neither of your mail domains are proxied.