It's possible that you were previous relying on the TLS-SNI authentication method (over port 443). Unfortunately that method had a problem and is being permanently disabled.
There is a replacement method (TLS-ALPN), but it is not compatible with Certbot or Apache.
Do you mean to say that traffic to tcp/80 is not routed to your server at all? It's odd that the response is "connection refused" - that indicates that the port is not being used by anyone at at all.
For example, what happens when you run:
sudo ~/Downloads/letsencrypt/letsencrypt-auto renew --cert-name koinonia.co.nz -a standalone --dry-run