Sure enough, modifying my Apache conf to incorporate a direct link to the intermediate chain fixed the issue.
My LE-ISPConfig Apache conf now looks like this:
Alias "/.well-known/acme-challenge/" /var/le-ispconfig/
Require all granted
Header set Content-Type "text/plain"
That little line at the bottom was what made the difference; chain.pem (a symlink to my primary domain’s intermediate cert chain) will be updated as and when keys and site certs are updated via cron.
I post this here as my errors were a little more vague until I was able to track down the issue as an incomplete certificate chain error.
The default installation of Apache 2 on Ubuntu seems to include support for older, insecure ciphers. So while we’re munging config files, check your ssl.conf mod and see if you need to restrict cipher support with something like this:
#Enable only secure ciphers:
#Default above. Possible alternative below:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"