Whatever it ought to do, apache is trying to listen 443 and finds it cannot
and crashes. There is another “listen 443” in one of the included .conf
files. Removing the “listen” that letsencrypt added fixes the problem.
The discussion and debugging over this issue continued in private messages between me and @ddyer over the last few days.
The issue was identified as Certbot being unable to find variable SSL which was used in <IfDefine SSL> statement wrapping the VirtualHost block in one of the virtual host configuration files. This caused Certbot not being able to see the Listen 443 statement that was defined inside of that virtual host.
Variable SSL was added to Apache command line in CentOS/RHEL/Fedora specific configuration file /etc/sysconfig/httpd. We are parsing this file for variables since Certbot v0.20, but the parsing method had a bug, that did not recognize command line options with no whitespace separator, for example -DSSL vs. -D SSL.
As a workaround, I proposed adding Define SSL to the main httpd.conf, thus making it visible for Certbot for the time being.