I’ve tried some variations on that idea, but here’s what happens. I put a configuration file I thought might be helpful, below.

Thanks for responding!

$ sudo certbot renew --nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (language.cs.ucdavis.edu) from /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

$ cat /etc/letsencrypt/renewal/language.cs.ucdavis.edu.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/language.cs.ucdavis.edu
cert = /etc/letsencrypt/live/language.cs.ucdavis.edu/cert.pem
privkey = /etc/letsencrypt/live/language.cs.ucdavis.edu/privkey.pem
chain = /etc/letsencrypt/live/language.cs.ucdavis.edu/chain.pem
fullchain = /etc/letsencrypt/live/language.cs.ucdavis.edu/fullchain.pem

Options used in the renewal process

[renewalparams]
account = xxxxxxx REVOKED xxxxxxxx
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory