I just noted that one of our domains has an expired SSL certificate, because the DNS challenge failed.
I've tried to perform a dry run and it tells me that the acme-challenge TXT record no longer exists. I verified the DNS record and it didn't exist any longer indeed. I would like to recreate the DNS record, but when ruinning certbot --renew it simply tells me that the acme-challenge record does not exist, or does not contain the correct data. How can I let certbot generate a new token for my TXT record?
I was able to resolve it by just generating new certificates and switching to the HTTP challenge mode.. I actually have no idea why somebody in our team configured it in DNS challenge mode as port 80 is available..
The dns-01 is mandatory for wildcard certificates. If you don't have the requirement for a wildcard certificate and port 80 is indeed available, then there is usually no need to use the dns-01 challenge.