After updating the Keycloak app to 8.2. 21.1.2-ucs2 the Letsencrypt certificate could not be updated any more. In the changelog it says:
If the Keycloak hostname is accessed using http, you are now directly redirected to https
But the Letsencrypt app needs http for the challenge. So I just removed the new <VirtualHost *:80> block from /etc/apache2/sites-available/univention-keycloak.conf and reloaded Apache. Then sudo -u letsencrypt /usr/share/univention-letsencrypt/refresh-cert succeeded.
I would prefer a proper permanent solution. Thanks!