Is there a reason why HTTP-01 can not be extended to use https/port 443 connection instead, where it just ignores the server certificate all together? This way for renewals it will ignore the expired certificate and for new certificates I could just use a temporary self-signed certificate for startup. This would take care of the issue where port 80 is blocked. I do not see how this would be any less secure than using a straight http connection.