My server had a Let’s Encrypt certificate configured on the default site. When I added a virtual host and tried running the regular letsencrypt tool on the new vhost site, it failed with this error:
Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to :443 for TLS-SNI-01 challenge
I suspect it was because the default certificate (for the main domain) was being served for the new vhost on a different domain.
So, run certbot instead:
It had to download and install some dependency packages, then asked whether to allow HTTP and HTTPS access to your site or redirect HTTP requests to HTTPS.
It creates the site’s SSL configuration file, adds the certificate files to that config, and edits the old file to rewrite HTTP URLs to HTTPS (if you asked for that)