It sounds like you first created this certificate using the standalone authenticator. This spins up a temporary webserver to respond to the challenge, and is usually used in the case where you don’t have a web server running already. When you run certbot renew, it uses the exact same parameters that were used for the initial issuance.
You have a few options. First, you could manually edit the renewal.conf file in /etc/letsencrypt to have the correct setup. A bit more sure-fire, though, would be to simply issue a new one the same way you expect to issue in the future, and then remove the offending certificate using certbot delete whatever.the.certificate.is.named.com.
Consider also running a more up-to-date version of Certbot (from stretch-backports), as no doubt you are missing a lot of potential bug fixes in that version.