There's a big change underway in how users can prove control over their domains to Let's Encrypt. In preparation for that, Certbot's behavior has been changing in recent versions, including in the version 0.28.0 that you're running.
If you're using the Certbot apache authenticator (you can check in /etc/letsencrypt/renewal), you may be experiencing a known bug in how this authenticator performs the HTTP-01 challenge on systems that have multiple possibly-relevant Apache virtual hosts. This bug was fixed for most people in Certbot 0.31.0.
So if this is the case, you could try to find a way to upgrade to Certbot 0.31.0 or later, or switch to using the webroot authenticator (with --webroot) if you have a directory from which your Apache server serves static files (as opposed to, for example, proxying everything to a web app).