I don't recall ever specifying that. However, I've been using certbot for quite a long time. On my FreeBSD server since I first set it up in 2015, and on my Mac home server before it when Let's Encrypt first came out.
That's no surprise that you get a 403 one solar.schamschula.com. It only allows access from a particular C block (work). You are better off trying wx.schamschula.com, but it also has some restrictions. Also I have to turn off ipfw when I renew the certs, as I block a large part of ipv4 space.
# SSL
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/etc/letsencrypt/live/wx.schamschula.com/cert.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/wx.schamschula.com/privkey.pem
<Directory "/usr/local/www/apache24/data">
#Include /usr/local/etc/apache24/extra/httpd-rewrite.conf
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
RewriteEngine On
# IP ranges
Include /usr/local/etc/apache24/extra/ip.conf
Allow from all
Require all granted
</Directory>
I'm not sure what you are looking for. There are some bits of the config I'd rather not make public, i.e. anything about the directory structure, and anything commented out, like old proxy setups.
The port 80 config closely mirrors the port 443 setup:
<VirtualHost *:80>
ServerAdmin marius@schamschula.com
DocumentRoot "/usr/local/www/apache24/data"
ServerName wx.schamschula.com:80
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/httpd-access.log"
<Directory "/usr/local/www/apache24/data">
#Include /usr/local/etc/apache24/extra/httpd-rewrite.conf
Options Indexes FollowSymLinks
AllowOverride All
RewriteEngine On
# IP ranges
Include /usr/local/etc/apache24/extra/ip.conf
</Directory>
</VirtualHost>
I don't have time to work on this messy problem right now. I wanted to inform you about prior certs in case your backups cover that. And, inform of the status of your current rate limit.
I ran a script to check for expired certs on a daily basis (I've since changed the cron job to run once a week). However, there was a configuration error (see this thread), which caused multiple certs to be generated and I didn't notice it until I got an email that my certs are about to expire. Unfortunately, I didn't correctly debug the issue at the time (last week). Due to the configuration error, certs weren't correctly installed on my server, so there are no back-ups. The script didn't make back-ups anyway. I'll add that!
OK. I removed the port from the server names and added a temporary DocumentRoot to solar.schamschula.com (/usr/local/www/apache24/data/solar). Remember, it normally proxies my inverter.