Just for reference if it helps somebody, I moved to acme from certbot and it is possible to renew certificate with port 80 blocked (you need only Port 443, so please stop apache2 or nginx when renew or issue certificate). Just use Standalone tls-alpn mode:
acme.sh --issue --alpn -d example.com