Please fill out the fields below so we can help you better.
I ran this command:
/usr/bin/letsencrypt renew
It produced this output: (names and IPs obfuscated for security purposes)
2017-03-08 19:26:39,679:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/xxx.yyy.com.conf produced an unexpected error: Failed authorization procedure. xxx.yyy.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to aaa.bbb.ccc.ddd:443 for TLS-SNI-01 challenge. Skipping.
My operating system is (include version):
Ubuntu 14.04
My web server is (include version):
Apache
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
which refers to a firewall blocking connections to port 443. Did you get the exact same error ("Failed to connect ... :443 for TLS-SNI-01 challenge") while using Certbot for your renewal?
No, my problem is that my site routes all requests to https, so it’s currently not accessible. I’ll have to remove that and allow http temporarily, I think, so that letsencrypt renew can access my site.
I don't think there should be a problem there, per
If you redirect everything to HTTPS, an expired certificate shouldn't be an obstacle for HTTP-01 verification as long as the specified webroot does actually otherwise get served successfully by the HTTPS server.