As an aside, if there's no vhost on the server that is http-only
(i.e. they all redirect to https) then I would just stop listening
on port 80 and dispense with every http vhost. You will clearly need
to switch to DNS-based Let's Encrypt challenges then, though.