Did you know that http://www.spoonbomb.com/ itself is an Apache "it works!" page, instead of the Spoon Bomb website?
(https://www.spoonbomb.com/ is the right website, but with a self-signed certificate.)
Can you post "sudo apachectl -t -D DUMP_VHOSTS"?
If there are multiple overlapping virtual hosts, sometimes Certbot will apply the validation modifications to one, and then Apache will use a different one.
Certbot 0.31.0 and newer will be more likely to succeed, but you can also just fix the ambiguity in the Apache configuration, if that's what the issue is.
Were you using certbot-auto before?