This may be a bug that was probably fixed inadvertently in Certbot 0.31.0:
The issue would be that Let's Encrypt may be returning a cached authorization, from when you used DNS validation. After a recent change in Let's Encrypt's API, the cached authorization includes only the DNS-01 challenge object from before.
Certbot sees that you want to use HTTP validation, but the authorization doesn't include that as a possibility -- because it's already valid and you don't need to validate again -- but Certbot gets confused and fails.
Can you post the /var/log/letsencrypt/letsencrypt.log
from when this happens?
Any chance you want to ignore this issue until you upgrade to a newer version of Debian?
Debian 9 doesn't have a newer version of Certbot packaged, though you can switch to certbot-auto.