The domains I gave are the ones I'm writing about.. the ones I want to get work properly with just 443 because I am adding SAN almost daily.
Main (established) server is va1der.ca, mail.va1der.ca, www.va1der.ca, productrevue.ca (plus mail, www, etc), mccullochcentre.ca, mccullochcenter.ca. That has run for years.
This is getting bogged down in irrelevancies though. Main point is getting letsencrypt to stop failing out on a port 80 rejection and only fail out on port 80 AND port 443 rejection on all domains and in all circumstances. What will this take?