Basically there are 3 steps to do and first one - upgrade to version 0.28 you already did.
Steps to do:
- Remove any explicit references to tls-sni-01 in your renewal configuration:
sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
- Do a full renewal dry run:
sudo certbot renew --dry-run
If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support. If it fails, fix the validation problems you see and try again.