Updating certbot-auto, in and of itself, should do absolutely nothing to the certificates or web server configuration files.
It still sounds like some other software (or coworker) did something to the Apache configuration when you weren't looking.
The website is working correctly right now, right?
"certbot-auto certificates" didn't show any other certificates, right?
To reference a post in a similar thread, could you make a backup of the Apache configuration, and then compare what's different next time it breaks -- or, if it's broken right now, after fixing it?
E.g. "sudo tar czf /root/apache-configuration-2018-04-10.tar.gz /etc/apache2/".
What certificates is Apache configured to use? Something like "grep -ir SSLCertificate /etc/apache2/" can help check.
Are there other certificates not listed by certbot-auto certificates? "sudo ls -lAR /etc/letsencrypt/{archive,live}/".
Are you using a control panel? Bitnami? Something else that would potentially modify the Apache configuration?
Other people with access to the server?
If you fixed the website today, do you have a recent backup of the (Apache) configuration from when it was broken?