Some time ago, for security reasons the tls-sni-01 challenge was disabled by Let’s Encrypt (with exceptions for some special cases involving renewals).
At the time, Certbot’s nginx and apache plugins depended on that challenge, so those plugins could not be used to issue certificates for new domains.
This was fixed in Certbot version 0.21.0 which adds support for the http-01 challenge to the nginx and apache plugins.
There was also a fix in 0.21.1 for a minor security issue around the functionality that automatically generates HTTP-to-HTTPS redirects.
You can review the changelog yourself to see if there’s anything else there that you care about.
I don’t know why your packages are being kept back, sorry.