Hi @ianhobson,
What you should do to recreate a set of symlinks:
(as root)
cd /etc/letsencrypt/archive/example.com
ls -lrt *.pem
check what the most recent version number at the bottom is (e.g. cert7.pem or cert3.pem or whatever; below, I'll pretend it was cert4.pem, but replace the number 4 with the appropriate number for this specific certificate), and then
cd /etc/letsencrypt/live/example.com
rm cert.pem privkey.pem chain.pem fullchain.pem
ln -s ../archive/example.com/cert4.pem cert.pem
ln -s ../archive/example.com/privkey4.pem privkey.pem
ln -s ../archive/example.com/chain4.pem chain.pem
ln -s ../archive/example.com/fullchain4.pem fullchain.pem
If you have more than one certificate, repeat this whole process for each certificate name (indicated as example.com above). Note that the version number for each individual certificate (e.g. cert4.pem) may be different from each other certificate.
It should probably work again after that.
I'm not sure what you mean by "off-line" here, but I think certbot renew should work to renew your certificate(s). You can try sudo certbot renew --dry-run to test it after fixing the symlinks.
The /etc/letsencrypt/csr and /etc/letsencrypt/keys directories are just backups and not needed for Certbot's ongoing operations. In fact, it's been proposed on occasion that Certbot probably should not save these files at all, or not for very long.