Are you being prompted for webroots for each domain? If Certbot is using the same webroot directory for every domain name, it might not be correct for each of them.
I think there will be a difference in where Certbot gets the webroot between renew and certonly. When you --expand, you may want to individually specify them again (one -w preceding each -d and specifying the -d entries separately) for this purpose. Would that make sense?