I'm pulling my hair out trying to troubleshoot this, because I can't see what the LE server is trying to do. All I get back via the certbox client is an acme failure, saying
(tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge
In itself, that points squarely at a communication problem, and would suggest that my server is not listening on that IP address and port, but I can access that same website from my phone (via 4G), through the internet, via looking glass servers from all over the world, etc. There is clearly no general communication problem, yet I never see an incoming packet to tcp/443 (or tcp/80) during the time the client is waiting for a reply. It's like it just doesn't try.
The IP address stated in the message is correct, and DNS resolution is working. That DNS entry has been working for years, so it's not a new entry.
Looking at https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3, it appears that I should be getting an incoming https connection, but when packet sniffing on my outside interface,I don't even see a SYN to 443, let alone https.
Yet, if I run it in --manual mode, and copy the well-known URL, and then access that from work (different ISP), it works just fine, and I see a tcp 3whs, an https TLS negotiation, and an entry in apache's log file, so I'm at a loss to explain what acme is trying to connect to. It certainly doesn't seem to be my webserver.