Like a lot of people who post here, this isn’t my day job. Maybe for people who work with certs full time, these are obvious.
But I think I resolved this by issue when I checked the version of certbot-auto and it autoupdated from 0.27.1 to 0.30.2 (because my subsequent dry-run reported that all was well).
The second step of the instructions (using sed to do something) was confusing. It wasn’t clear where the renewal files are located (/etc/letsencrypt/renewal/) and those files don’t match /tls/i or /sni/i :
# pwd
/etc/letsencrypt/renewal
# grep -i tls *
# grep -i sni *
#
So, I guess it was a matter of using an older version of certbot that was the problem, yes? Having a successful dry-run means that everything is OK, right?
Maybe that’s obvious, but since I cannot see why (other than possible an older CB client) I was using TLS-SNI-01, and since it’s not sunset yet, it’s not 100% clear that a successful dry-run means that I won’t have trouble on 2/13 and after 3/13.
EDIT: I notice that my dry-run output specifies the challenge type: “http-01 challenge for acumented.com”, so I do think I am OK now.