Do not stop the webserver before performing HTTP challenge (challenge is on port 80, webserver should be listening on port 443 only). As post-renewal hook just reload the webserver, don't restart.
