I believe the problem is related to the duplication of port 80 namevhost snackconscious.com in the above.
But if your Certbot was upgraded, I believe the problem would be resolved. So I await your response regarding the other questions about upgrading and certbot --version.
This is what I got
Hit:1 Index of /ubuntu xenial-security InRelease
Hit:2 Index of /ubuntu xenial InRelease
Hit:3 http://archive.canonical.com/ubuntu xenial InRelease
Hit:4 Index of /ubuntu xenial-updates InRelease
Hit:5 Index of /certbot/certbot/ubuntu xenial InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
164 packages can be upgraded. Run 'apt list --upgradable' to see them.
That's the output of apt update .
Can you run these two individually please:
and
apt install -y --only-upgrade certbot python-certbot-apache
Reading package lists⌠Done
Building dependency tree
Reading state information⌠Done
certbot is already the newest version (0.31.0-1+ubuntu16.04.1+certbot+1).
python-certbot-apache is already the newest version (0.31.0-1+ubuntu16.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 160 not upgraded.
certbot --version
certbot 0.31.0
Looks like I had to type in Y for the disk space so it might have upgraded it now
Shall I run: certbot renew --dry-run
Alright. Letâs try again with:
certbot renew --dry-run
The vegan and staging ones will fail (since they donât point to this server), but hopefully the live site will succeed.
This is what I got:
Processing /etc/letsencrypt/renewal/snackconscious.com.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for snackconscious.com
http-01 challenge for www.snackconscious.com
Waiting for verificationâŚ
Cleaning up challenges
Attempting to renew cert (snackconscious.com) from /etc/letsencrypt/renewal/snackconscious.com.conf produced an unexpected error: Failed authorization procedure. www.snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.snackconscious.com/.well-known/acme-challenge/7X2Rzrk4N8iXrF-vDrZBxNfIHLOMMhnnbJg1CS8jLyg [31.220.56.204]: "\n\n\n<!â[if IE 7]> <html class=âlt-ie9 lt-ie8â> ", snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/index.php?p=.well-known/acme-challenge/a6AH4CTpwIYZqhCpKmCW4xlpeF7k0hcdenaMWLG2Awc [31.220.56.204]: "\n\n\n<!â[if IE 7]> <html class=âlt-ie9 lt-ie8â> ". Skipping.
Processing /etc/letsencrypt/renewal/staging.snackconscious.com.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem
Processing /etc/letsencrypt/renewal/www.veganlabs.com.conf
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for staging.veganlabs.com
http-01 challenge for www.veganlabs.com
Waiting for verificationâŚ
Cleaning up challenges
Attempting to renew cert (www.veganlabs.com) from /etc/letsencrypt/renewal/www.veganlabs.com.conf produced an unexpected error: Failed authorization procedure. www.veganlabs.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/.well-known/acme-challenge/A9NITjUo4rSUXqUnJmqVWGNGNYZOecxO4kLqeYkmXU8 [31.220.56.204]: "\n\n\n<!â[if IE 7]> <html class=âlt-ie9 lt-ie8â> ", staging.veganlabs.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for staging.veganlabs.com. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
** DRY RUN: simulating âcertbot renewâ close to cert expiry
** (The test certificates above have not been saved.)
2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
Upgrading didnât help 
. It seems like Certbotâs Apache plugin is having a hard time understanding how to work with your Apache configuration.
Next thing Iâd try is to post the contents of these two files:
Same F1289 user, for some reason I canât post more replies since I am a new user.
Oh I had to change the server password since the developer is not with us, not sure if that has any bearing. So I need to update it anywhere?
No, it wouldnât make any difference.
How do I do this - sorry 
One way could be to run:
cat /etc/apache2/sites-enabled/snackconscious.com.conf
and
cat /etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf
and it would show the contents of the file on your terminal, from which you could copy it.
cat /etc/apache2/sites-enabled/snackconscious.com.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName snackconscious.com
ServerAlias snackconscious.com www.snackconscious.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/snackconscious.com/html/web
<Directory /var/www/snackconscious.com/html/web>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName staging.snackconscious.com
ServerAlias staging.snackconscious.com
ServerAdmin me@example.com
DocumentRoot /var/www/snackconscious.com/staging/web
<Directory /var/www/snackconscious.com/staging/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =staging.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
cat /etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName staging.snackconscious.com
ServerAlias staging.snackconscious.com
ServerAdmin me@example.com
DocumentRoot /var/www/snackconscious.com/staging/web
<Directory /var/www/snackconscious.com/staging/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
#RewriteCond %{SERVER_NAME} =staging.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias snackconscious.com
SSLCertificateFile /etc/letsencrypt/live/snackconscious.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/snackconscious.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName snackconscious.com
ServerAlias snackconscious.com www.snackconscious.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/snackconscious.com/html/web
<Directory /var/www/snackconscious.com/html/web>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
#RewriteCond %{SERVER_NAME} =www.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName snackconscious.com
ServerAlias snackconscious.com www.snackconscious.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/snackconscious.com/html/web
<Directory /var/www/snackconscious.com/html/web>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
#RewriteCond %{SERVER_NAME} =www.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/snackconscious.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/snackconscious.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>Thanks. Let me have breakfast and Iâll see whether I can get that working on my own system.
OMG thank you az, I would love to donate to you
Iâm afraid it still doesnât make much sense to me. Based on your upgraded Certbot version, whatâs happening shouldnât be happening.
Craft CMS is intercepting the validation requests on your server is not right - Certbot 0.31 should be preventing that.
Your config on my system works just fine .
The last idea I have is to just try webroot:
certbot renew --cert-name snackconscious.com --webroot -w /var/www/snackconscious.com/html/web --dry-runThis wonât cause any problem to the server right ?
No, itâll just create a file inside your webroot and then delete it afterwards. Wonât affect the site or server.
This is what I got:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/snackconscious.com.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for snackconscious.com
http-01 challenge for www.snackconscious.com
Using the webroot path /var/www/snackconscious.com/html/web for all unmatched domains.
Waiting for verification...
Cleaning up challenges
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/snackconscious.com/fullchain.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
You can remove the --dry-run from the end of the command and run it again.
This will actually renew your certificate, and additionally save that setting for future renewals. So next time itâll be automatic.
We should have tried this a lot earlier but I wanted to get your existing config working.
WOW YAY YAY
Is this the code I run? certbot renew --cert-name snackconscious.com --webroot -w /var/www/snackconscious.com/html/web