I'm sorry it's so complicated.
How was Certbot installed now? apt? Using Ubuntu's repositories, or the PPA? certbot-auto?
Since the email didn't specify which servers are still using TLS-SNI -- or were recently -- you'll probably have to check all of them.
Can you upgrade all of your Certbot installations to a very recent version?
Edit:
Oh.
Okay, that's sort of good and sort of complicated.
Both versions of Certbot should support HTTP validation fine, I think.
However, when HTTP and TLS-SNI validation are available, 0.28.0 uses HTTP by default and older versions use TLS-SNI.
You might want to go around testing certbot renew --dry-run --preferred-challenges http-01,dns-01
on all of your servers.
(You can simply use certbot renew --dry-run
on the 0.28.0 servers, but it might be simpler to copy and paste the same command everywhere.)