Let's Encrypt failed with cert renew

Hy all
I use hass.io 96.5 and Let’s encrypt addo 3.0 without duckDNS.
I forwarded Port 8123 (TLS) and 80 on my Firewall to the Raspy wich runs Hass.io.

The renewal of the cert is failing - the token can not fetched.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sh.domain.com
Waiting for verification...
Challenge failed for domain sh.domain.com
http-01 challenge for sh.domain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: sh.domain.com
   Type:   connection
   Detail: Fetching
   http://sh.domain.com/.well-known/acme-challenge/ASosc_lsRO3Tkec46_pFRu387B-TO--Q1HLWIB8dzN8:
   Error getting validation data
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Hass.io does respond to port 80 and 8123 from a external server with telnet:

root@external-host:~# telnet sh.domain.com 80
Trying 100.101.102.103...
Connected to sh.domain.com.
Escape character is '^]'.
^CConnection closed by foreign host.

root@external-host:~# telnet sh.domain.com 8123
Trying 100.101.102.103...
Connected to sh.domain.com.
Escape character is '^]'.
^CConnection closed by foreign host.

The Log file /var/log/letsencrypt/letsencrypt.log does not even exist.

Does the challenge file really exist?
Are some access right wrong?
do i need Port 443 forwarded to Hass.io? … I think no. this Port does not respond:

root@external-host:~# telnet sh.domain.com 443
Trying 100.101.102.103...
telnet: Unable to connect to remote host: Connection refused

My configuration:

{
  "email": "[email protected]",
  "domains": [
    "sh.domain.com"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

configuration.yaml

http:
  base_url: sh.domain.com:8123
  use_x_forwarded_for: true
  trusted_proxies: 127.0.0.1
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

… quite simple…

Thank you very much!
BR