This is not a question, just a memo in case I am hit by a bus. Thanks to sahsanu at community.letsencrypt.org and Till on howtoforge.de
Running RStudio and Shiny server on Ubuntu/Apache2. Using a Proxy to redirect Port 3838 and 8787 to subdomain, and letsencrypt to make it https. For example, I can acces my app with:
https://apps.menne-biomed.de/breathtestshiny/
instead of http://menne-biomed.de/breathtestshiny:3838 . I had used the options below without the .well-known line before. This worked well with the exception of renewal: To renew, I had to remove all options and re-insert these later.
After adding the .well-known line below, automatic renewals work. You can test with
/opt/certbot/certbot-auto renew --force-renew
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPass /.well-known/acme-challenge !
ProxyPass /stats !
RedirectMatch permanent ^/apps/$ /apps/
ProxyPreserveHost Off
ProxyPassMatch ^/(.+)/websocket ws://localhost:3838/$1/websocket keepalive=On
ProxyPass / http://localhost:3838/
ProxyPassReverse / http://localhost:3838/