@schoen Thank you! Yes, I think you're right. After removing the [[webroot_map]] line at the bottom of the renewal config I got a different error (not finding the correct credentials in the webroot).
2016-02-20 00:36:05,190:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/xxxx-xxxx [x.x.x.x]: 404. Skipping.
However, executing the certonly for the same domain worked fine
/opt/letsencrypt/letsencrypt-auto certonly --keep-until-expiring -w /var/www/domain.com/web -d domain.com
I may still have some misconfiguration in my renewal files and will continue testing as soon as other certs are due.
For the renewal files being generated for new certificates I think the content was not generated correctly according to the way the original cert was created. In any case it would help a lot to have a documentation for the parameters that can be used there - I couldn't seem to find a page discribing the format. Thanks!
Edit: I only now realized that the renewal file will be updated by such an action - which is good to know. The part that I probably got wrong (missing documentation?) is that the webroot_path must end with a comma (?) and/or that the entry was added to the [[webroot_map]] part:
webroot_path = /var/www/domain.com/web, [[webroot_map]] domain.com = /var/www/domain.com/web