@fernandoch, as described in the other thread, Let’s Encrypt has discontinued support for TLS-SNI-01 authentication (which was an authentication method that used port 443 to prove your control of a domain name). There is an ongoing process to update Certbot and other software to better support the other authentication methods.
In this case I think you’re encountering a weird case which a few other people have encountered, which is that the means by which Let’s Encrypt implemented the change has made
--dry-run much less realistic than before. This is because the main server still exceptionally allowed people to use the TLS-SNI-01 method for renewals only, but the staging (test) server used by
--dry-run typically does not allow it at all. Therefore,
--dry-run tests can show failed related to TLS-SNI-01 that do not necessarily correspond to failures when performing the actual renewal. It may be valid to run the ordinary
certbot renew, because an exception has been made that can allow TLS-SNI-01 in this case.
Seeing this error also commonly means that your Certbot hasn’t yet been updated to a version that will refrain from trying to use the TLS-SNI-01 method. Such a version was released last week, hence my question to @joohoi about whether it’s available in the PPA yet.