The problem is that the certificate you have issued only covers vanguardmagic.com but not www.vanguardmagic.com and you are redirecting all connections from vanguardmagic.com to www.vanguardmagic.com so the certificate is not valid for this subdomain. You should create a certificate covering both names.
What command did you use to issue your certificate?.
I've added two new params, --cert-name vanguardmagic.com that will use the already created dir structure inside /etc/letsencrypt/ and a new -d param, -d www.vanguardmagic.com that will also cover your www subdomain.
Are you using standalone authentication for some reason?. I'm asking because this authentication method requires to stop your webserver and once renewed the cert, start it again, maybe you should use apache as authenticator too.
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: File not found: ert-name
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
(U)pdate cert/(C)ancel:
(U)pdate cert/(C)ancel: U
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vanguardmagic.com
http-01 challenge for www.vanguardmagic.com
The program apache2 (process ID 12150) is already listening on TCP port 80. This
will prevent us from binding to that port. Please stop the apache2 program
temporarily and then try again.
Press Enter to Continue
Cleaning up challenges
At least one of the required ports is already taken.
Yes, you must stop apache before issuing the command and start it again once done. And add pre-hook and post-hook commands so it can be done automatically in next renewal
For some reason I had to stop mysqld and apache in order to renew the certificates. In fact, certbot tells you the ID of the process that has taken the port, so I kill the two process by using their ID and then I ran: