Here is the explanation: the /etc/hosts files had lines that gave static IPs to the servers that renew certificates:
# /etc/hosts 104.85.23.247 acme-v01.api.letsencrypt.org 104.85.23.247 acme-staging.api.letsencrypt.org These point to Akamai server. They were probably proxing letsencrypt servers until last month, since renewing certificates worked for the last 10 months with this config. I can't trace precisely the origin of those 2 lines, but etckeeper shows they were introduced at the same time certbot was installed (2017-08). And I certainly did not write them myself. I suppose certbot's install was a bit flawed at that time. You may close the ticket. Thank you for you help.
