He’s not listening on 80, so that would require --preferred-challenges tls-sni to use port 443.
But I don’t think you can get a new cert via TLS any longer.
So he will have to put something to listen on 80.
1 Like