Certbot renew error on www subdomain

I have Nextcloud running behind an Apache reverse proxy. When I try to run sudo certbot renew --apache --dry-run all renewals are successful except Nextcloud which seems to fail specifically on the www subdomain:

The following simulated renewals failed:
  /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

 - The following errors were reported by the server:

   Domain: www.nextcloud.mydomain.com
   Type:   unauthorized
   Detail: myip: Invalid response from

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My apache virtual host config looks like:

<VirtualHost *:80>
	ServerName nextcloud.mydomain.com
	ServerAdmin admin@mydomain.com

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =nextcloud.mydomain.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<VirtualHost *:443>
    ServerName nextcloud.mydomain.com
    ServerAlias www.nextcloud.mydomain.com
    DocumentRoot /var/www/html/nextcloud/

    Protocols h2 http/1.1

    ErrorLog /var/log/apache2/nextcloud.mydomain.com-error.log
    CustomLog /var/log/apache2/nextcloud.mydomain.com-access.log combined

    SSLEngine On

    <Directory /var/www/html/nextcloud/>
      Options +FollowSymlinks
      AllowOverride All

		<IfModule mod_dav.c>
			Dav off

		SetEnv HOME /var/www/html/nextcloud
		SetEnv HTTP_HOME /var/www/html/nextcloud

    Header always set Referrer-Policy "no-referrer"
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

	Redirect 301 /.well-known/carddav /remote.php/dav
	Redirect 301 /.well-known/caldav /remote.php/dav

	Redirect 301 /.well-known/webfinger /index.php/.well-known/webfinger
	Redirect 301 /.well-known/nodeinfo /index.php/.well-known/nodeinfo
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem

Trying to access http://www.nextcloud.mydomain.com/.well-known/acme-challenge/XDzS9k3PjGvYHOu9QtDzyXhK14ggEYcWWH-wFjV7_e0 in a browser redirects me to https://nextcloud.mydomain.com.

Anybody able to point me in the right direction?


for my, you have a dns zone error. check record type A/AAAA

You may found some help there:

The DNS record is definitely correct, and the installation is accessible. I assume it’s a permissions or re-direct thing for the acme-challenge but can’t quite figure out what to change.