Ok this is one of the domains that failed earlier
id xxxxxx
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
sub.xxxxxx.com. IN A
;ANSWER
sub.xxxxxxx.com. 3599 IN CNAME xxxxxxx.com.
xxxxxxx.com. 3599 IN A 167.xxx.xxx.xxx
;AUTHORITY
;ADDITIONAL
Edit: I just tried again and yet another subdomain failed (but the ones that previously failed were fine). I checked it with the dig tool you linked to and got the same result as above (except for the subdomain and ip of course). When I re-ran the certbot command, the subdomain that just failed failed worked fine.
Since the problem seems to be intermittent, is there a way to get more information about what went wrong when the failure occurred?