When I created the certificates for the website using certbot I identified (as an example for this post) mydomain.com as well as the subdomain www.mydomain.com.
At the time my DNS server was setup with an A-type record for mydomain.com, and I cannot recall if also an A-type record for the www.mydomain.com or if it was using a CNAME type record for the subdomain. In either case the original creation of the certificate was successful and included both domains; however, since that time I have decided not to support the www subdomain at all and just to go with a "naked" domain name approach for all URLs.
The issue is now I am trying to automate renewals for this certificate and during my testing with
certbot renew --dry-run
the results indicate that some of the challenges are failing - those related to www.mydomain.com - because the DNS records are not found (because I deleted them).
How should I best move forward to minimize issues? Should i just use certbot to delete the certificate, and create a new one that identifies only the primary domain?
There unfortunately is no easier way to tell Certbot to drop or add a specific hostname from/to a certificate, the above guide requires using the -d option to tell Certbot the hostnames you want in the new cert. In your case with just two hostnames in the old cert and just a single one in the new cert this isn't really a big deal, but with large certs this could be a hassle. I'm also not sure what happens if you use the above guide with settings previously used, such as installer and/or authenticator options, perhaps webroot paths, I dunno. Only one way to find out: try it out!
Another option which can be interesting and would prevent the hassle above is the --allow-subset-of-names option to Certbot, which can be used with the renew subcommand. That option would tell Certbot to simply drop all failed hostnames and get a cert with just the hostnames which were successfully validated. Note that this can be a good thing AND a bad thing, depending on the reason of a failing hostname. In your case if the bare domain name validates successfully and just the www subdomain fails, this option could be an option to modify your cert.