To keep you in the loop re: my issue.
Yesterday, after I created my post, I noticed there was a service disruption to most Let's Encrypt services. I was doing my test against the staging server, and that one was listed as down. When it came back up, I tested again, but the error was different than "EOF occurred in violation of protocol". I think the EOF error was related to the service disruption.
The new error was:
2021-07-19 21:20:48,685:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))
Because I was testing with a new method for the first time (snapd), I think there is an issue related to leftover certbot installations or I don't understand where the client trust store is picked from... If you have a fix for that error, or guidance on trust store used by snapd, I will gladly take it.
When I used my old method, and install the Cloudflare pip module, it works (no API access token yet though):
Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)
If you could provide guidance on the snapd issue, I'd be happy. If not, then I think my problem is fixed. I was able to renew the certificates manually this morning.