By the way, @gotham, this particular explanation of changing DocumentRoot after generating the cert is only relevant to the HTTP-01 challenge (for example using --webroot), but this error shows the TLS-SNI-01 challenge (for example using --apache). This authentication method doesn't rely on knowing the server's DocumentRoot.