Nginx

Why can't certbot renew the certificate?

Debian 8, nginx as proxy. Proxies two domains to two web applications, one is on the same machine, the other is on a physically different one. Certbot receives certificates from LE. White static IP, 80 and 443 ports, A-records, all this is and works. Moreover, for both domains, certificates were successfully obtained from LE by the team
sudo ./path/to/certbot-auto --nginx
. The next task is to set up automatic renewal. In Debian 8, this is done by adding the appropriate command to cron, but first on the Certbot website it was suggested to check the update in test mode with the command
sudo ./path/to/certbot-auto renew --dry-run
It would seem, what problems can there be if the certificates are successfully obtained and you only need to update, even if in test mode? But that was not the case - for both domains, the attempt fails with an error:

Domain: tut.my.domain
   Type:   connection
   Detail: Fetching
   http://tut.my.domain/.well-known/acme-challenge/4586QqpTV_5hQPD4q2tYDqvQqpTV_5hQPqvQqpTV_5h:
   Timeout during connect (likely firewall problem)

I have not encountered Debian 8 as a proxying nginx, perhaps I am missing something, but it is likely a firewall problem - this cannot be, because 1) certificates have already been received 2) 80 and 443 are open and obey.
Googled, but, basically, people have problems with this error, in principle, with obtaining a certificate, and not with updating an existing one, so nothing sensible was found.