Coming back to this finally. I enable port 80 so Certbot can access it.
* certbot --apache
I pull up the webpage to test. It is loading correctly and shows the updated certificate.
* certbot --renew --dry-run
* Congratulations, all simulated renewals succeeded.
* sudo ufw deny 80/tcp
* Rule updated
* sudo ufw reload
