The firewall is just passing the traffic. No SSL termination. I wondered how it actually worked, what is actually happening (I am pretty sure) is that Letsencrypt is getting back the default ‘snakeoil’ cert. I know this because I replaced it with one with a different name and the name in the error message changed. I notice that certbot was starting apache even if it was shutdown.