It’s working now. I had to delete my certificate in the Certificate Management (made sure there were no certificates), and then I used CertBot to add the certificate instead.
Then I added the following to /etc/apache2/apache2.conf:
#secure SSL access
<VirtualHost *:443> ServerAdmin [email protected] ServerName sub.example.com
ServerAlias sub.example.com
SSLCertificateFile /etc/letsencrypt/live/sub.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com /privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com/fullchain.pem
</VirtualHost>
#http redirect
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
Redirect permanent / https://sub.example.com/
</VirtualHost>
#disable access by IP address
<VirtualHost *:80>
ServerName 11.222.33.444
<Location />
Require all denied
</Location>
</VirtualHost>
#disable access by IP address
<VirtualHost *:443>
ServerName 11.222.33.444
<Location />
Require all denied
</Location>
</VirtualHost>
It seems that there is a problem on some distros with using the Certificate Management module for generating HTTP-01 certificates, if I’m understanding this forum post correctly. And that the Certificate management console does not support DNS-01.