为什么 certbot 突然回退到 http-01 挑战而不是 tls-sni-01（https）？

我有一个经过充分测试的 bash 脚本，几个星期前它运行良好。
现在看来 certbot 挑战默认为 http 而不是 https。我不明白为什么。

echo 'rsa-key-size = 2048
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets
' > /etc/letsencrypt/cli.ini

certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST

防火墙设置：

Firewall stopped and disabled on system startup
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  ip-10-10-10-0.eu-west-2.compute.internal/24  anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             ip-10-10-10-0.eu-west-2.compute.internal/24  policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Certbot：

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn-1.duelify.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vpn-1.duelify.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vpn-1.duelify.com
   Type:   connection
   Detail: Fetching
   http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.