Another pitfall for renewing certificates is if you have your web server (apache or nginx) set up to 301 redirect HTTP to HTTPS requests. You need to disable this temporarily while you renew your certificates. LetsEncrypt needs to connect to the server via standard port 80 (HTTP) for the renewal process to complete successfully.