I think the problem may be in your redirection statements:
Redirect permanent / https://aholab.ehu.es/
redirects (correctly) to https.
So, http://aholab.ehu.es/.well-known/acme-challenge/1234
forwards to: https://aholab.ehu.es/.well-known/acme-challenge/1234
But the TLS server block also has a redirection statement:
RedirectMatch ^/$ /aholab/
So, now the (new) request to: https://aholab.ehu.es/.well-known/acme-challenge/1234
is “mangled” to?: https://aholab.ehu.es/aholab/.well-known/acme-challenge/1234
Which should get the content from /var/ww/aholab/.well-known/acme-challenge/1234
But the --webroot specifies /var/www
So the challenge files end up at: /var/www/.well-known/acme-challenge/1234
Not where that are actually being server from (/var/www/aholab/.well-known/acme-challenge/1234).
You can try updating the command with -w /var/www/aholab
[to force them to match]
If this fails, the we need to exclude the /.well-known/acme-challenge from
RedirectMatch ^/$ /aholab/
Or ensure the redirection doesn’t cause other problems (like truncating the full URL)
[edit - corrected my dyslexia and added this thought]
Since it seems that 100% of the connections will go to the redirected path…
Why not remove the redirection and just update the document root?
from:
DocumentRoot /var/www/
RedirectMatch ^/$ /aholab/
to:
DocumentRoot /var/www/aholab/
#RedirectMatch ^/$ /aholab/