The tls-sni-01 challenge was deprecated since January, but only recently Certbot started preferring the http-01 challenge for renewals instead of tls-sni-01. By installing from the repo for 10.04 rather than certbot-auto, you probably got an old version that hadn't made that change yet (note that Ubuntu 10.04 has reached its end of life and no longer receives updates). You could alternatively have forced certbot-auto to use tls-sni-01 using the --preferred-challenges option. But either way, that's only a temporary solution - you will still need to switch to one of the other challenges before 13 February 2019, as the CA will stop supporting tls-sni-01 entirely at that point. You should really also consider updating to a supported version of Ubuntu.
If you can't open port 80, you have two options: switch to a client that supports tls-alpn-01 as @sigprof suggested, or use DNS validation.