LetsEncrypt deprecates TLS-SNI-01 as a valid challenge soon, so I had to upgrade the existing Debian package certbot 0.10.2 to the download version certbot-auto (currently version 0.30.0) on a Debian server. certbot-auto renew --dry-run gave me errors for some, but not all installed domains. The error was "The client lacks sufficient authorization :: Invalid response from" with a 403 forbidden.

With certbot-auto renew --dry-run --cert-name DOMAIN I compared a working to a non-working domain. The difference was that the non-working one used the apache authenticator and the working one webroot. So I changed all configuration files in /etc/letsencrypt/renewal to authenticator = webroot and added

[[webroot_map]]
www.domain.com = /var/www/www.domain.com/home/htdocs

After that there was only one domain with an error left. The error was "Missing command line flag or config entry for this setting:
Select the webroot". This domain was configured without www. in the beginning, but also renews the www. domain certificate. So it needed two entries in webroot_map, one with and one without www. in the beginning.