Came here to ask a question but solved it before finishing. On Amazon Linux (experimental) I setup, got initial cert and renewed, but only in standalone mode (need to shut down webserver). There was no cli.ini in my letsencrypt folder so I created one. Still no dice. Finally I read the manual (!) and just passed on command-line. This works:
/opt/letsencrypt/certbot-auto renew --debug --dry-run --webroot -w /var/www/html/
Performing the following challenges:
tls-sni-01 challenge for sugarlock.com
tls-sni-01 challenge for www.sugarlock.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/sugarlock.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again… Skipping.