LetsEncrypt/Certbot is a wonderful cheap way to have an SSL cert to secure things. It works out of the box and no issues for the most part until you have things like proxy pass or other things.
The fix is fairly easy however, and this works well in particular with those running tomcat behind apache
Create a config for letsencrypt in say /etc/httpd/conf/letencrypt.conf or /etc/apache/ that looks something like this
ProxyPass /.well-known/acme-challenge ! Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge <Directory "/var/www/html/.well-known/acme-challenge"> Options None AllowOverride None Require all granted AddDefaultCharset off </Directory>
Restart your apache, and run certbot like this
certbot (or name of binary) certonly -d domain.com -d www.domain.com
if asked for the DocumentRoot set that to /var/www/html
This will negate that directory /.well-known from the proxy pass, and alias it to /var/www/html allowing all domains to verify off the same place without issues.
If you are running older apache you may see the error ... "configuration error: couldn't perform authentication. AuthType not set!"
Replace the line 'Require all granted' with
Order allow,deny Allow from all
Newer certbots get the DocumentRoot themselves, older ones you may need to set that. Older versions also may need to manually create your apache config with the cert by copying the port 80 config, change the port to 443, and include