Certbot-can't get SSL certificate for mail.domain.com

I want to install let’s encrypt certificate on my server for domain.com, www.domain.com and mail.domain.com. so I created the following domain-site.conf file for virtual hosts:

<VirtualHost *:80>
ServerAdmin admin@domain.com
DocumentRoot "/home"
ServerName domain.com
ServerAlias www.domain.com
ErrorLog "/var/log/httpd/domain.error_log"
CustomLog "/var/log/httpd/domain.access_log" common
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerAdmin admin@domain.com
DocumentRoot "/home"
ServerName mail.domain.com
ErrorLog "/var/log/httpd/mail.domain.error_log"
CustomLog "/var/log/httpd/mail.domain.access_log" common

and then when I run sudo certbot --apache command and hit the enter to install certificate for all 3 names, it can not install certificate for mail.domain.com and gives the below output. how to solve the issue?

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain.com.conf)

It contains these names: domain.com, www.domain.com

You requested these names for the new certificate: domain.com, mail.domain.com,

Do you want to expand and replace this existing certificate with the new
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.domain.com
Waiting for verification...
Challenge failed for domain mail.domain.com
http-01 challenge for mail.domain.com
Cleaning up challenges
Some challenges have failed.

- The following errors were reported by the server:

Domain: mail.domain.com
Type:   unauthorized
Detail: Invalid response from
[ip]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Welcome to the Let’s Encrypt Community :slightly_smiling_face:

First off, I noticed that you’re not redirecting mail to https, but that’s not the issue with certbot.

Without knowing your actual domain name, I can’t use dig to check your dns records to see if they’re setup correctly. Keep in mind that all certificates issued by Let’s Encrypt (and the certificates issued by many other certificate authorities) are public knowledge at https://crt.sh/?q=domain.com, so you’re not really gaining any privacy by not supplying your domain name. We’ve seen domains for everything from NASA to fetish porn come through here, so no worries about judgment.


Everyone - and we do mean EVERYONE - has the right to privacy.
By that I mean, to secure all your internet “conversations”.
Keeping your domain private (although “allowed”) here doesn’t make much sense; as that hinders the resolution of your problem.
It’s like going to the Doctor and telling them they can’t examine you.