The secret sauce is:
<Location /.well-known>
ProxyPass !
</Location>
Which disables the reverse proxy for the /.well-known URL which is where certbot puts the info used for proving domain ownership during initial cert creation and renewal.
Here's a full example config. To get the initial cert created simply swap *:80 and *:443 and comment out all the SSL* lines to make apache actually start without SSL, then once the cert is generated, edit it back the way it was.
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName my.domain
ServerAlias www.my.domain
Redirect / https://my.domain/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName my.domain
ServerAlias www.my.domain
DocumentRoot /var/www/my.domain/public
ErrorLog /var/www/my.domain/logs/error.log
CustomLog /var/www/my.domain/logs/access.log combined
LogLevel warn
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
<Location /.well-known>
ProxyPass !
</Location>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/my.domain/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride FileInfo
Order allow,deny
allow from all
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile /etc/letsencrypt/live/my.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain/fullchain.pem
</VirtualHost>
certbot certonly --webroot -w /var/www/secrets.peoplesopen.net/public -d secrets.peoplesopen.net