Just to add to the thread, but not expecting a magic answer, other subscriptions on the same host all update okay, even now, one that was suffering the same 'urn:ietf:params:acme:error:caa' 403 error. Trying to work out what is the key issue, although I cannot see why one that was failing, is...