Letsencrypt Renew failing

Help!
1

I am using LXD containers. One for haproxy, one for my application, and one for an nginx webserver.
I installed certs in the haproxy server as such:

certbot certonly --standalone -d bcast.streamingworld.us -d www.streamingworld.us -d streamingworld.us --non-interactive --agree-tos --email rayjender@gmail.com --http-01-port=8888

And the results were:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/bcast.streamingworld.us/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/bcast.streamingworld.us/privkey.pem
    Your cert will expire on 2020-11-27. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

And here is the current “certbot certificates” results:

root@HAProxy:/etc/letsencrypt/live/bcast.streamingworld.us# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: bcast.streamingworld.us
Domains: bcast.streamingworld.us streamingworld.us www.streamingworld.us
Expiry Date: 2020-11-27 13:56:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/bcast.streamingworld.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bcast.streamingworld.us/privkey.pem

So then everything worked. SSL to application and website works.

But now I am trying to renew the certs as such:

certbot renew --tls-sni-01-port=8888

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/bcast.streamingworld.us.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.streamingworld.us
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (bcast.streamingworld.us) from /etc/letsencrypt/renewal/bcast.streamingworld.us.conf produced an unexpected error: Failed authorization procedure. www.streamingworld.us (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.streamingworld.us/.well-known/acme-cha llenge/O3lzgf0gc61uiOj7YT4du969-Uea_gvQRRtQR7TeYLg: Timeout during connect (likely firewall problem). Skipping.

Processing /etc/letsencrypt/renewal/conf.streamingworld.us.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bcast.streamingworld.us/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/conf.streamingworld.us/fullchain.pem expires on 2020-12-11 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bcast.streamingworld.us/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.streamingworld.us
    Type: connection
    Detail: Fetching
    https://www.streamingworld.us/.well-known/acme-challenge/O3lzgf0gc61uiOj7YT4du969-Uea_gvQRRtQR7TeYLg:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

cat bcast.streamingworld.us.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/bcast.streamingworld.us
cert = /etc/letsencrypt/live/bcast.streamingworld.us/cert.pem
privkey = /etc/letsencrypt/live/bcast.streamingworld.us/privkey.pem
chain = /etc/letsencrypt/live/bcast.streamingworld.us/chain.pem
fullchain = /etc/letsencrypt/live/bcast.streamingworld.us/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 9a4a4fedd35e4c3579cf5df2148fbdee
http01_port = 8888
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

My firewall:

root@HAProxy:~# ufw status
Status: active

To Action From

80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
5058 ALLOW Anywhere
5443 ALLOW Anywhere
5000:65000/udp ALLOW Anywhere
8888/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
5058 (v6) ALLOW Anywhere (v6)
5443 (v6) ALLOW Anywhere (v6)
5000:65000/udp (v6) ALLOW Anywhere (v6)
8888/tcp (v6) ALLOW Anywhere (v6)

Any ideas why the failure?

Thanks,

Ray