Apologies for slow responding. Thanks for replying and moving to a separate topic.
The upgrade instructions (for 0.28) did not work, I had to use a forcing method telling letsencypt/certbot to upgrade even though it did not want to (found working instructions by another user) .
I did carefully read the page How to stop using TLS-SNI-01 with Certbot
It assumes that the reader has detailed knowledge about the inner workings of certbot. For example, the reader is assumed to know where to find “your renewal configuration”. In our system it was not in any known location (I could not find it).
I have no idea if some special flag was passed to choose TLS-SNI-01 (a previous employee made the installation). I also have no information on how SSL certificates were issued previously, but it was a more manual method.
Isn’t it odd that there is no tool or documentation for finding out what validation methods are in use?
It looks as if we will find out only when we are really in a hurry to make our failover server fully operational. Not ideal.