Is this a change from the normal operation?
certbot only needs port 80 to obtain/renew any cert (via HTTP authentication).
If you have to "put things back" and port 80 will not be reaching this system, things will not automate - and you will have to do this all over again every time you renew.
If these ports are normally forwarded to this system, then disregard this entire post (thus far) and
I'm glad you got a renewed cert.
Cheers from Miami 
1 Like