Do you have two server blocks for the same domain name on port 80? Maybe certbot is picking the wrong one to use for answering the validation challenge. You should probably only have one anyway...
edit: oops, I see you posted another topic about this and someone already answered you there. I'll close this to keep all the discussion in one place.