@jajouka Given that your ssh connection issue (the original topic of this thread) is resolved, please start a new thread for any other issues you are unable to resolve.
Regarding the Job for php7.0-fpm.service failed because the control process exited with error code, I believe you could resolve the issue by rebuilding your droplet. Hopefully roots/trellis#642 will prevent anyone from encountering this particular issue in the future. I don’t think there is a problem with your sudoers.
I recommend you stick with the development default of provider: self-signed for your dev VM. Let’s Encrypt will only issue a certificate to a publicly accessible server after confirming that it can access a challenge token on the server. Your development VM doesn’t satisfy this requirement.
Let’s Encrypt verifies and creates certificates through a publicly accessible web server for every domain you want on the certificate.
This means you need valid and working DNS records for every site host/domain you have configured for your WP site.
Note that if you end up choosing to set ssl enabled: false for development, your browser’s exposure to the letsencrypt setup for that domain will likely have an associated HSTS header for the domain. If you return to http for development, you’ll need to clear the HSTS header using something like this.
The HSTS header instructs your browser to remember to automatically load your site as https only for some period of time. If your site moves back to http only, the browser obediently won’t load that http version till the original HSTS header has expired, or till it is cleared manually. This is designed to prevent man-in-the-middle attacks that could try to “downgrade” a user’s connection from https to http.