So in the Trellis config the variable for Let’s Encrypt contact email was set using quotes, as literal:
letsencrypt_contact_emails: "webmaster@example.com"
This resulted in an incorrect interpolation/renew_certs.py script file generation by the ansible playbook, each lettering being a mailto email address:
'--contact mailto:w mailto:e mailto:b mailto:m mailto:a mailto:s mailto:t mailto:e mailto:r mailto:@ mailto:e mailto:x [...]
The variable has to be a list:
letsencrypt_contact_emails:
- webmaster@example.com
This can be overlooked, so Trellis should check/sanitize the variable to prevent these kinds of issues.