Ofcourse I've checked all kinds of logs, even tcpdump: no TLS incoming connections were made what so ever. And the redirect works, I've checked that also ofcourse, manually and in the browser..
Didn't see your previous post, sorry: yes, my server is accessible from the outside world on port 443, both IPv4 and IPv6 
I'm going to accept the aformentioned solution as a solution anyway, as the SimpleHTTPS challenge for the Webroot plugin was removed for a reason, as I found out from this post: Preventing Letsencrypt 3rd party clients going the Android way? - #29 by My1
Seems to be a vulnerability with default TLS vhosts and SNI: that way a misconfigured host apparently could 'steal' the domain validation or something..