Let's Encrypt stopped renewing certificate with
Error
Unable to create a new order. Error creating new order :: Cannot issue for "mta-sts.": Domain name ends in a dot

 
MTA-STS Enabled: Yes

Configuration Steps:
Step 1: Enable STARTTLS for SMTP Completed
Your Xeams configured to use STARTTLS.

Step 2: Publish mta-sts.txt Completed
Xeams is configured to respond to https : / / mta-sts.BLAH.net / .well-known /mta-sts.txt, which will display the STS policy for BLAH.net

Step 3: Add a TXT record in your DNS server for _mta-sts.BLAH.net Completed
A TXT record is correctly published for _mta-sts.BLAH.net.

Step 4: Add a TXT record in your DNS server for TLS-Reporting Completed
A TXT record is correctly published for _smtp._tls.BLAH.net.

The STS-Policy for is set to the following text.
version: STSv1
mode: testing
max_age: 604800

These following are just statements, howerver mta-sts.BLAH.net does appear in my DNS.

DNS Changes for mta-sts.
The hostname mta-sts. does not exist in your DNS server.

Steps:
You can either add an A record for mta-sts. pointing to the public IP address (X.X.X.X) of Xeams, OR
Add a CNAME record pointing to the A record (xeams.BLAH.net) where this server is running.

Add a new TXT record in your DNS server with the following values:
Hostname: _mta-sts.
Value: v=STSv1; id=20240404T010101;

Add a new TXT record in your DNS server with the following values:
Hostname: _smtp._tls.
Value: v=TLSRPTv1; rua=mailto:tlsrpt@

After a few hours I eventuially found it:
/opt/Xeams/config/sslCertHosts.dat

This file had:

mta-sts.BLAH.net
mta-sts.BLAH1.com
mta-sts.BLAH2.com
mta-sts. 


Removed the last entry, restarted Xeams and renewed the Let's Encrypt certificate finally.