The certbot 0.28.x renewal process uses several files and directories outside the web-server’s reachability. So the web-servers config gets rewritten to direct authentication requests to those places. If the web-server’s user (i.e. www-data) cannot access those places due to file system restrictions, the requests fail.
TODO: Determine the web-servers runtime user and check whether access is granted.
THX a lot!