The key authorization file from the server did not match this challenge

Help
1

I saw that this error was discussed already a few times, but those threads were locked, and the solutions don't apply to me. This is a brand new VPS, fresh after install - literally first thing I did was change ssh port to something not obvious, then enabled ufw, then I tried to get certs for my domain.

My domain is:
orthoboard.xyz

I ran this command: 
sudo certbot certonly --cert-name shared --standalone -d orthoboard.xyz --email <my-email-goes-here> --test-cert --agree-tos

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for orthoboard.xyz

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Identifier: orthoboard.xyz
  Type:   unauthorized
  Detail: The key authorization file from the server did not match this challenge. Expected "11VuAiVIvlN2AOC7k6eZ3YxnFCxZQzfuFrxfPcaRAyk.LhHWGl356I9mNyuFncMErWewPEcRGfBT9_D58ghk0BI" (got "11VuAiVIvlN2AOC7k6eZ3YxnFCxZQzfuFrxfPcaRAyk.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8")

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details

My web server is (include version): didn't use one (using --standalone for now)

The operating system my web server runs on is (include version): ubuntu 26.04

My hosting provider, if applicable, is: it's a VPS so... irrelevant?

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.6.0 installed via snap

2

You have both an IPv4 and IPv6 address listed in your DNS for your domain. Which is fine. But, the IPv6 address gets a response from an Apache server. In fact, it gets what is called a "stateless" response to the ACME Challenge which is not the correct one for your system. That may actually come from a load balancer that looks to be related to that Apache server.

Let's Encrypt prefers IPv6 when an AAAA record is present in your DNS. Which is why you get the failure you do.

You need to set the AAAA record to point at the same place your A record points. Or remove AAAA if you cannot support IPv6.

See this test result: Let's Debug