Good day,
my certificate is a wildcard certificate for my domain and a subdomain in my domain. It appears that the DNS update for the base domain works, but that of the subdomain fails. I've changed the api token resources to "All Domains" in Cloudflare but I still get "Domain: neptune.4gl.dev unauthorized" when I do a dry-run.

The domains in the certificate is: *.4gl.dev and *.neptune.4gl.dev

I ran this command:
sudo certbot renew -v --dry-run --dns-cloudflare --dns-cloudflare-credentials /etc/certbot/.cloudflare

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/4gl.dev.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-cloudflare, Installer None
Simulating renewal of an existing certificate for *.4gl.dev and *.neptune.4gl.dev
Performing the following challenges:
dns-01 challenge for 4gl.dev
dns-01 challenge for neptune.4gl.dev
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain neptune.4gl.dev
dns-01 challenge for neptune.4gl.dev

Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
Domain: neptune.4gl.dev
Type: unauthorized
Detail: Incorrect TXT record "emxReSvF2dbJHUBg_5P7bfZcacxabQ07Qs6jt4QNrJY" found at _acme-challenge.neptune.4gl.dev

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-cloudflare. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-cloudflare-propagation-seconds (currently 10 seconds).

Cleaning up challenges
Failed to renew certificate 4gl.dev with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/4gl.dev/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The operating system my web server runs on is (include version):
Ubuntu 22.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.2.0

Looking at /etc/letsencrypt/renewal/4gl.dev.conf I see the following, what I do not understand is why it says that the authenticator is manual:

renew_before_expiry = 30 days

version = 3.0.1
archive_dir = /etc/letsencrypt/archive/4gl.dev
cert = /etc/letsencrypt/live/4gl.dev/cert.pem
privkey = /etc/letsencrypt/live/4gl.dev/privkey.pem
chain = /etc/letsencrypt/live/4gl.dev/chain.pem
fullchain = /etc/letsencrypt/live/4gl.dev/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 8c23a81085478ee3e83229b456ff9f84
pref_challs = dns-01,
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

I'd allow at least 30 seconds for DNS changes to replicate amongst your nameservers, 10 seconds seems a bit quick.

Interesting. It appears that _acme-challenge.neptune.4gl.dev was never updated. It still existed since the last time I manually renewed the certificate.

I proceeded to delete both _acme-challenge.4gl.dev and _acme-challenge.neptune.4gl.dev and tried again. This time it worked. The challenges were also both removed automatically after the validation succeeded.

Looks like certbot does not like it if there are old ones on the DNS server.

Indeed. Ten seconds are not enough. After doing the cleanup in my other post, I had to increase it to 30 like you suggested to get proper results.

Certbot doesn't check nor cares.