Hi @perryhs
there is nothing strange. Your dry-run uses http-01 validation.
But your main-system validation uses tls-sni-01 - validation:
tls-sni-01 is deprecated, support ends 2019-02-13.
So use
certbot renew --preferred-challenges http
so that you use the http challenge with the main system.