I’ve been working on some documentation related to this so I’m going to try out my list of most common problems on you (maybe we can refine it or other people can suggest others). In this case, the Apache plugin is trying to reconfigure your Apache server to serve custom certificates requested by the CA (as proof that you really control the server for bestanswers.info), and the Apache plugin thought it succeeded, but it didn’t actually succeed.
The most common reason for this is that the Apache plugin currently has problems parsing configuration files that define more than one virtualhost within the same configuration file. This bug will be fixed in an upcoming release. Unfortunately, the plugin often fails to show a useful error when this happens. Is it possible that your Apache configuration includes a configuration file with more than one virtualhost defined in the same file?
Some other cases that may be applicable to this error:
- You aren’t running Certbot on your web server
Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.
- A domain name you’re requesting a certificate for isn’t correctly pointed at that web server
In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)
- You’re using a content delivery network (CDN)
TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)
- A firewall is blocking access to port 443
The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall. [This is unlikely with the specific error that you saw, but could happen if the firewall itself tries to terminate or intermediate incoming HTTPS connections.]
- The Apache plugin wasn’t right for this case
Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443
- Certbot doesn’t know how to modify your web server configuration correctly
The multiple virtualhosts per config file problem is currently the most common reason for this.