this is actually a bug, and not in certbot but apache,
and it is easy to handle it manually, but should not exist 
so, the problem is simply that after issuing a2ensite the -le-ssl.conf file won't be removed from sites-enabled...
moreover, when then a2ensite is issued for the same site, the -le-ssl.conf file is not added "back", either...
(kind of consequently )
in normal web search, the results are from 2013, and very stupid... like this one:
[SOLVED] Apache2 is ignoring conf changes - a2dissite removes symlink from sites-enabled [Archive] - Ubuntu Forums (ouch!)
this is why I'm bringing it up, as a reminder, and as a usable advice for those searching:
until it is solved (on the part of Apache), handle it manually: remove that -le-ssl.conf file from sites-enabled