If you’re getting the following error it means that your certbot script is outdated.
certbot: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
First check which version you are running, you need 0.28 or later.
# certbot --version
In my case i had python-certbot 0.10.2-1 but a package named certbot 0.28.0-1~deb9u2 was available for upgrade. Why this hasn’t been upgraded automatically confuses me but luckily it can be done by hand:
# apt install certbot
If the installation was successful you can give it a test run.
# certbot renew --dry-run
Notice that this might stop and start apache several times so make sure to run this out of production time!