Maybe you want to have a look why a dry run is failing and a normal request for the same domain is honored only seconds later. (time in CEST)
"http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain.tld
Type: unauthorized
Detail: Invalid response from
http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q:
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[@ ~]# certbot renew --cert-name wm.domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/wm.domain.tld.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wm.domain.tld
http-01 challenge for domain.tld
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem (success)
-------------------------------------------------------------------------------
1001 0910 14:14:28 certbot renew --cert-name wm.domain.tld --dry-run
1002 0910 14:14:49 certbot renew --cert-name wm.domain.tld