Well, this was a surprise… I removed /opt/eff.org/certbot for the third time this morning to see if it really toggles between the two or it’s just random and the update was successful, the certificates were renewed. The above mentioned 404 was present during this install, too, so it doesn’t seem to be related.
I saw that the old letsencrypt script had a --no-self-upgrade flag. Does it apply to certbot too? And if it does, is it wise not to upgrade? I think I’ll just make a backup copy of this working version and let it work as designed and if it misbehaves again in the future I just use the copy to do the update to prevent any down times.
I’m pretty satisfied that now it works, so I won’t dig deeper into this issue. I still believe there is something fishy here, but I lack the knowledge to go further. If you think it’s worth pursuing it, I’m more than happy to assist you. Anyway, thank you very much for your help, I couldn’t have done it without you :).