The opposite! It is a false positive on the part of --force-renewal due to something called "authorization caching".
--dry-run is what you should trust.
Are the DigitalOcean credentials you are providing, only for skalei-validation.com?
The --dns-digitalocean plugin doesn't follow CNAMEs; it expects to find skalei.com in your DigitalOcean account.
If this is a dealbreaker for you, you might consider a client which supports DNS alias mode like acme.sh: DNS alias mode · acmesh-official/acme.sh Wiki · GitHub.