certbot certificates need to be renewed every 3 months and are renewed every two months

the apache plugin makes certain assumptions about the setup of apache,
it seem that the virtual server that is a ultimately reached, must have
ServerName or ServerAlias equal to the domainname being verified

non apache certificates (eg: Component names of prosody) will land in the default
ssl server

apache certificates will land in their own server (or in case of an aggressive redirect
in a related server) Requests to www.snel.it end up in snel.it, so snel.it must have ServerAlias www.snel.it for this to work

An agressive redirect is:
        <Location "/">
                Redirect permanent "https://snel.it%{REQUEST_URI}"
        </Location>
This prevents the challenge from being read directly

NOTE: if there is a server with ServerName foo.bar.com that redirects to bar.com
then:
1. the definition of foo.bar.com must come above the definition of bar.com
2. the definition of bar.com must include a ServerAlias for foo.bar.com