I was going to say that this might not be so because of cryptographic operations, but the certbot renew certificate expiration checker (which I originally wrote) doesn't actually do any cryptography, it just has to parse ASN.1 in the file in order to read the notAfter field. Then I thought "oh, but subsequently that was patched to also check OCSP" ... but the OCSP connection is over HTTP and the OCSP response is also ASN.1.
But it does contain a digital signature, which gets verified in
That is by far the most computationally intensive part of the present-day certbot renew check. (Two digital signature verifications per certificate per day.) The Let's Encrypt OCSP endpoint is using sha256WithRSAEncryption to sign its responses, and that's what Certbot would therefore have to verify.
You could patch out this check in ocsp.py if you wanted to avoid this computational overhead, in which case a MITM could trick Certbot into attempting an early renewal (or maybe even make certbot renew crash???).