A recent Certbot update switched to performing validation on port 80 by default instead of port 443 (in preparation for the upcoming removal of the old TLS-SNI-01 challenge by the CA).
Your server is currently not externally reachable on port 80. If you can fix that, the renewal should work again as before.
If you can't, there are two alternatives:
- Switch to DNS authentication (if your DNS provider has an API allowing automated updates)
- Switch to the new TLS-ALPN-01 validation method, which works on port 443 (this is not supported by Certbot yet but is supported by some other clients).