Let's Encrypt Renewal for controlpanel.mydomain.com Fails Unless Apache Is Stopped

Hi all,
The control panel is accessible at controlpanel.mydomain.com on a multi server setup.
Let's Encrypt renewal works automatically for other domains like webmail.mydomain.com, but not for controlpanel

The only way I can successfully renew the certificate for controlpanel is by stopping Apache and running certbot -q renew --standalone. If Apache is running, the renewal fails with a 404 error during the ACME challenge.

Can someone explain what might be wrong and how to make the renewal for controlpanel work automatically without needing to stop Apache?

Because of the above I can't login via webmail too as it throws connection to storage server failed

My conf /etc/letsencrypt/renewal/controlpanel.mydomain.com.conf has among others:

# Options used in the renewal process
[renewalparams]
account = 2cb975d4ca10ccfcbcac8a05746daba3
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

but even when I change standalone to webroot and add the /var/www/html/ still fails to renew

 

Did you work through the FAQ already? https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/