Instructions state: “If you get a connection refused or connection timeout, you may have a firewall blocking port 80. tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. If that’s not possible, for instance because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.”
I upgraded the letsencrypt/certbot client, its version .28. The dry run produces
Timeout during connect (likely firewall problem)
Well, of course it can’t, I block non-SSL traffic, why would anyone allow http?
The confusion stems from the instructions bolded above. “need to switch to…or use an ACME client…” has no clear or coherent instructions for HOW to do that. I have searched for DNS-01 and I get tons of stuff, but nothing which seems to tell me how to switch to another client.
Can someone point me at the correct instructions and perhaps fix the instructions above to point there as well, so fools like me dont get lost so easily?