LetsEncrypt/Certbot is a wonderful cheap way to have an SSL cert to secure things. It works out of the box and no issues for the most part until you have things like proxy pass or other things.

The fix is fairly easy however, and this works well in particular with those running tomcat behind apache

Create a config for letsencrypt in say /etc/httpd/conf/letencrypt.conf or /etc/apache/ that looks something like this

ProxyPass /.well-known/acme-challenge !

Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge

<Directory "/var/www/html/.well-known/acme-challenge">
    Options None
    AllowOverride None
    Require all granted
    AddDefaultCharset off
</Directory>

Restart your apache, and run certbot like this

certbot (or name of binary) certonly -d domain.com -d www.domain.com

if asked for the DocumentRoot set that to /var/www/html

This will negate that directory /.well-known from the proxy pass, and alias it to /var/www/html allowing all domains to verify off the same place without issues.

If you are running older apache you may see the error … “configuration error: couldn’t perform authentication. AuthType not set!”

Replace the line ‘Require all granted’ with

Order allow,deny
Allow from all

Newer certbots get the DocumentRoot themselves, older ones you may need to set that. Older versions also may need to manually create your apache config with the cert by copying the port 80 config, change the port to 443, and include
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem