certbot-auto can't extend license to new domain (403 Forbidden)

Question

I have an Ubuntu server on Digital Ocean from which I'm running mainly a single domain, with multiple subdomains: domain.com, sub1.domain.com, sub2.domain.com, etc. Each has it's own Virtual Host.

The Virtual Hosts are all configured via their own config files in /etc/apache2/sites-available:

domain.conf // port 80
domain-le-ssl.conf // port 443
sub1.domain.conf
sub1.domain-le-ssl.conf
etc...

I have an SSL certificate setup for all of them via Let'sEncrypt / Certbot, forcing a redirect to HTTPS on all of them. Until now this has been working just fine. However, I now want to add another subdomain, sub3.domain.com.

I copied the conf files for sub2.domain.com and changed the relevant paths, servername, etc.:

sub3.domain.conf:

    <VirtualHost *:80>
    ServerName sub3.domain.com
    DocumentRoot /var/www/sub3_domain/html
    <Directory "/var/www/sub3_domain/html">
        # use mod_rewrite for pretty URL support
        RewriteEngine on
        # If a directory or a file exists, use the request directly
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        # Otherwise forward the request to index.html
        RewriteRule . index.html
    </Directory>
RewriteCond %{SERVER_NAME} =sub3.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

sub3.domain-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName sub3.domain.com
    DocumentRoot /var/www/sub3_domain/html
    <Directory "/var/www/sub3_domain/html">
        # use mod_rewrite for pretty URL support
        RewriteEngine on
        # If a directory or a file exists, use the request directly
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        # Otherwise forward the request to index.html
        RewriteRule . index.html
    </Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
</VirtualHost>
</IfModule>

With all this setup, I then ran certbot-auto to renew my certificate and add the new subdomain to the certificate. When prompted for which sites I wanted to add, I left it blank and pressed enter for 'all' (sub3.domain was included in that list). It then correctly picked up that I had added a new subdomain and asked if I wanted to expand the license to cover the new domain. Hit 'e' for expand, and off it went, performing challenges.

Right away, things seemed a little off, since for all my existing domains, it performed tls-sni-01 challenges, but for my new one, it performed a http-01 challenge:

tls-sni-01 for domain.com
tls-sni-01 for sub1.domain.com
tls-sni-01 for sub2.domain.com
http-01 for sub3.domain.com

Sure enough, within a few seconds, I had the following output:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sub3.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://sub3.domain.com/.well-known/acme-challenge/lKPYKHvStBag4YFzmfRbO7UpEINC4SYjEPMj-R_J-BY:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

To my knowledge, I don't have any particular or specific .htaccess or other such rules that would result in any subdirectory being forbidden - and in any case, why a different test for that one server?

I also tried this without copying the sub3.domain-le-ssl.conf file, since I do believe that's actually generated by certbot-auto. The process and outcome was identical.