I think it should be enough to include the --must-staple option in combination with certbot renew.
A valid authentication is cached for 30 days and the advice is to renew after 60 days (i.e., 30 days before expiry), so yes, every normal renewal you are required to re-do the challenge. That's not reserved for the dns-01 plugin by the way, but for every challenge.
I would advice you to automate the validation of your hostnames, either switch over to the http-01 challenge (which is more easy to automate) if you don't require a wildcard certificate and have a working port 80 or script the adding and removing of the TXT RR for the dns-01 challenge.
Combining -a nginx and -w doesn't make much sense: the -w option is for the webroot authenticator, the nginx authenticator you're using now has it's own methods for authenticating the challenge without the use of a webroot.
Also, using /sites-available/ as webroot-path doesn't make much sense either, you're lucky the option isn't used