SOLVED!!!
I discovered that my ISP (Xfinity/Comcast) has deployed an Advanced Security feature (IDS) that basically blocked pretty much everything from the outside. This, despite all indications that the ports were open, port forwarding was properly configured and even a phone call to Xfinity Support that couldn’t find anything wrong. Once I disabled Advanced Security I stopped getting the connection refused errors and certbot --apache ran just fine to completion and successfully issued and installed my certificates. I really need a sarcasm font when I say THANKS XFINITY/COMCAST!
I hope this helps anyone else who might be experiencing these inexplicable connection refused issues and I’m very grateful to all who tried to help me.
NOTE: Although I remember getting an email from my ISP about this new feature, there’s NOTHING about it that’s right up front for you to be aware of the change. Nothing on the router or their website to provide control or access and not even any indication that it exists except an occasional blurb where they pat themselves on the back for providing enhanced security (valued at $79 per month) at no additional cost! I really had to pay close attention to eventually discover a new app on Google Play Store called xFi that allowed me to disable Advanced Security from my phone.