Thanks very much for your help, that’s fixed it! The packages were out of sync!
For anyone else who has this problem, firstly I checked my cli.ini file, which didn’t mention anything relevant:
$ cat /etc/letsencrypt/cli.ini
# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
There were no cli.ini files in the other locations mentioned.
There were no matches for:
$ sudo grep -RE "(pref_challs|challenges)" /etc/letsencrypt/
The only variables that -vvv appears to mention were:
Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var account={'server'} (set by user).
However, the final suggestion of using dpkg to check that the other certbot packages were in sync did show that there were mismatches:
$ dpkg --list | grep -E "python.?-certbot"
ii python-certbot-nginx 0.25.0-2+ubuntu14.04.1+certbot+1 all transitional dummy package
ii python3-certbot 0.28.0-1+ubuntu14.04.1+certbot+4 all main library for certbot
ii python3-certbot-nginx 0.22.0-1+ubuntu14.04.1+certbot+2 all Nginx plugin for Certbot
I upgraded the outdated packages:
$ sudo apt-get install python3-certbot-nginx
$ sudo apt-get install python-certbot-nginx
Which fixed the dpkg output to look correct:
$ dpkg --list | grep -E "python.?-certbot"
ii python-certbot-nginx 0.28.0-1+ubuntu14.04.1+certbot+3 all transitional dummy package
ii python3-certbot 0.28.0-1+ubuntu14.04.1+certbot+4 all main library for certbot
ii python3-certbot-nginx 0.28.0-1+ubuntu14.04.1+certbot+3 all Nginx plugin for Certbot
And now running sudo certbot renew --dry-run shows all challenges being made using http-01, as I’d expect.
Thanks again, _az!