--apache probably isn’t going to work out if you’ve got Varnish sitting in front.
You’re going to need something to terminate SSL.
Varnish isn’t capable of terminating SSL on its own, as far as I know.
So you’re going to either need to configure Apache to listen on port 443 and proxy requests back to port 80 (Varnish) … which will then proxy them back to port 8080.
Or you can run something like haproxy in front of Varnish.
That is going to take some manual configuration. For Certbot, you’re probably going to want to use the webroot authenticator, rather than --apache. And you’re probably going to end up using certonly as well.