TL;DR: temporarily stop lighttpd, renew the certificate, and then start lighttpd.
Use the following list of commands:

systemctl stop lighttpd
certbot renew
systemctl start lighttpd

Specific commands for my setup

certbot certonly -d my.custom.domain --nginx

Certonly instructs certbot to renew certificates for only one domain, and –nginx indicates we want to use the nginx plugin

Make sure you have port 80 forwarded to the device hosting the nginx instance, as that is the port certbot uses to communicate with the CA

Long description

Scenario: You have a number of services (e.g. VPN, DNS, DoT) proxied behind NGINX, while also running Pi-Hole with the web console.
You make the smart decision and choose to secure your services using the awesome free certificates from Certbot.
60 days have passed with much merriness, and you just got the notification to renew the certificates.
“No worries” you think to yourself, as you quickly type out “sudo certbot renew” into your favourite shell.

Unfortunately this returns an error:

Waiting for verification...
Challenge failed for domain arst.com
http-01 challenge for arst.com
Cleaning up challenges
Failed to renew certificate arst.com with error: Some challenges have failed.

This error happens because certbot needs port 80 to verify you are the rightful owner of the (sub)domain name. However, this clashes with the Pi-hole admin console which already has a server bound to port 80, causing the verification to fail

This error is fixed simply by temporarily stopping the Pi-hole admin console, using the commands at the top of the page

Note that this does NOT pause Pi-hole ad blocking, as we are only stopping the web server serving the Pi-hole admin console