I think the issue is that we need certbot to support doing the renewal on a different port, not 443, since that’s forwarded for HA. So for auto-renew to work we need to be able to get it to use a different port and then set up another forwarding rule on the router just to be used for the renewals. It seems that when we could use http-01 this renewal was done on port 80. However since we now have to use tls-sni-01 this only works on 443, see: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753