Thanks for all your help.
I was able to resolve the issue by running a renewal with the webroot specified. I’m not entirely sure why it was needed, because I ran
apachectl -t -D DUMP_VHOSTS on the problem machines/domains and a known working one, and the only difference was the domain name. I also combed through the Apache config files on a problem and working machine/domain, and I couldn’t find any differences that would cause it.
What I ended up doing in my case, which I post in the interest that it may help others, was to specify the web root and force renewal:
./certbot-auto renew --webroot -w /full/path/to/domain/httpdocs --force-renewal
Note that the
--force-renewal was necessary because the certificate was not yet due for renewal. Although the documentation states that you must use
-d when using
--force-renewal, I found this not to be the case, and in my case, it was safe to do it because there’s only one domain on the machine.
After renewing the cert, as promised,
./certbot-auto renew showed the certificate as valid for a fresh 90 days, and a simple
./certbot-auto renew --dry-run succeeded without any errors.
Thanks again for everyone’s help on this thread.