Run (as root or with sudo)

apache2ctl stop
letsencrypt --authenticator standalone --installer apache -d your.domain

Choose "easy" (you can tidy up later if you want https only)

The letsencrypt agent should restart apache for you.

It is because Let’s Encrypt has currently disabled the TLS-SNI-01 challenge due to an identified security issue.

The official has provided an workaroud at the Let's Encrypt community website as following:

If you’re serving files for that domain out of a directory on that server, you can run the following command:

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer nginx -d <domain>

If you’re not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:

sudo certbot --authenticator standalone --installer nginx -d <domain> --pre-hook "service nginx stop" --post-hook "service nginx start"

2018-01-19 update

Let’s Encrypt just released Certbot 0.21.0, which use HTTP-01 challenge type instead of the compromised TLS-SNI-01 by default for apache httpd and nginx. Update your certbot to get rid of this issue.

This is what worked for me:

certbot --authenticator standalone --installer apache -d <domain> \
--pre-hook "systemctl stop apache2" \
--post-hook "systemctl start apache2"

run the command and change match inside the tags <>

sudo certbot --authenticator webroot --webroot-path <path to served directory> --installer apache -d <domain>

Since I'm using apache, I used this format,

sudo ./certbot-auto --authenticator webroot --webroot-path <path-to-webroot> --installer apache -d <your-domain>

e.g.

sudo ./certbot-auto --authenticator webroot --webroot-path /var/www/html --installer apache -d mydomain.com