According to this page: How to stop using TLS-SNI-01 with Certbot it should be:
If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support.
Exact command was certbot --apache, selected a couple of domains and reissued the certificate as I've always done. This is a default install, nothing has been customized or altered — cli.ini is default:
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0