I know it's not ideal. The short certificate lifetime makes manual action tedious. I'll try to tag in someone who has creative ways of working with organizations and entities with specific requirements. I'm not sure if he's around right now, but hopefully he'll see this soon.
Thanks, because we would like to keep our systems as simple as possible, and renewing 300 user subdomains separately is not an option to us. Not to mention that it is quite a requirement for us to keep all the scripts and daemons in check as we have local users on our systems.
I think the colleague I tagged is exactly the right person to help with this. Since most of us are volunteers here, I don't know if/when he'll be around. He contributes here quite frequently though, so I have good hope. Someone else might come around in the meantime though. I'm not the best expert yet in these scenarios.
Then you should be able to redo those steps now and get your site secure now.
Once that is fixed, then you will have 90 days to figure out how to automate this.
It is not rocket science - millions of people have done it; and we are here to help you with that.
I also run my own BIND and have used the certbot-dns-rfc2136 plugin without any trouble.
That being said, I do want to add a little bit about your behaviour in this thread. My fellow volunteers are trying to help you in their spare time and reacting with comments like "I don't care if it is interactive or not, I just want it to renew and it doesn't work." aren't helpful. It also seems to indicate a certain lack of knowledge about how Let's Encrypt actually works and how certbot actually works.
And your remark "but giving me link to the list of command line options for certbot (which is not even a version I am using) is not really helpful" suggests you require a spoon-fed solution. However, I'd like to remind you again that, like almost everyone on this Community, @griffin and @rg305 (and me for that matter) are unpaid volunteers just trying to help. So if someone suggests to read command line options (with already having suggested the required two command line options earlier!) I think it would be fit to reply with that in mind. The proper reply would be something like "Thanks, I'll take a look into that!". Now, it feels very, very ungrateful.
It's not intended as an ad hominem, just saying you can catch more flies with honey than with vinegar. For example, your statement just now makes me ignore this thread from now on, even if you might have questions or troubles about the aformentioned plugin. That's all on you I'm not a help desk employee required to help you, it's my personal choice to help you or not. And I choose not to from now on. Best of luck to you.
@platyna, the big challenges for this situation are:
(1) By its policy, the Let's Encrypt CA requires you to use (only) the DNS challenge method for wildcard certificates.
(2) By industry policy, the specific token that you have to post for the DNS challenge will have to be different every time.
That means that you need some way to post new token values in DNS automatically, if you want to use Let's Encrypt and get automated renewals of wildcard certificates. You could also give up on any one of these three things (don't use wildcard certificates, don't use automated renewals, or don't use Let's Encrypt).
I think the rfc2136 method that @Osiris mentioned before is the closest "intended" or "official" way to do automated wildcard certificate renewals with Certbot when you run your own BIND.
If you don't want to make changes to your DNS zones at all, there is one other option: since the challenge validation follows CNAME records, you could also make _acme-challenge.platinum.edu.pl be a CNAME pointing to _acme-challenge in some other domain (it doesn't have to be a subdomain of your domain, and doesn't have to be hosted on the nameserver). In that case, you can update the DNS records elsewhere, on some other DNS server, over that other server's API, and that will be considered valid proof of control for your wildcard renewal. This still requires some configuration work because you still have to configure the Certbot plugin (and find a way to get a DNS zone hosted somewhere else with an API for zone updates), but in that case it wouldn't have to be updates to your own servers, services, or zone files that get made as part of the validation process.