Cannot certificate - challenge http-01 failed

I am trying to certificate a simple wordpress site that is hosted on a VPS.

My domain is: lbn.ctb.upm.es

I ran this command: certbot --apache -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): lbn.ctb.upm.es
Requesting a certificate for lbn.ctb.upm.es
Performing the following challenges:
http-01 challenge for lbn.ctb.upm.es
Waiting for verification...
Challenge failed for domain lbn.ctb.upm.es
http-01 challenge for lbn.ctb.upm.es

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: lbn.ctb.upm.es
Type: unauthorized
Detail: 138.4.131.127: Invalid response from http://lbn.ctb.upm.es/.well-known/acme-challenge/uS1Mv_IWHgDmyrLhgiC9LZPbsLYv84LShbN5V9apd0Y: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.65

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: VPS on CESVIMA (computing center of a Spanish university)

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.1.0

I've noticed that the IP address that appears in the output (138.4.131.127) is outdated. I changed the DNS to a new IP (138.4.92.206) about 3 weeks ago, I checked with a DNS Checker and it has not propagated to the entire globe. I guess this is the reason for the error, but I don't know how long will it take to propagate or how to trigger it. Thks in advance!

You have two different A records in your DNS 'tree'. One of your DNS Servers sends one and the rest send the other.

You have a number of DNS config problems. We often use this test site. You can see the two A records and also problems with your 'glue' records. See lbn.ctb.upm.es | DNSViz

Let's Encrypt walks your DNS authoritative servers. It may choose any path down the tree and it must produce a correct result.

It isn't a propagation problem. It is a configuration problem. You should discuss this with your DNS provider.

I've talked with him and he didn't know why the tree showed two A records, but we tried shutting off the old server and the certification worked. Thank you so much!

You probably just got lucky that Let's Encrypt chose a working path that time. It might choose a different one (and fail) next renewal.

You should fix your DNS config. Turning off DNS Servers isn't fixing the problem.

I'd focus on these warning messages from DNSViz report. Sorting these out will help and might make it clearer what is still wrong

es to upm.es: Authoritative AAAA records exist for einstein.ccupm.upm.es, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2.

es to upm.es: Authoritative AAAA records exist for galileo.ccupm.upm.es, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2.