add CNAME api -> @ or * -> @
sudo certonly certonly -a webroot --webroot-path=/var/www/<your site>/current/public -d www.example.com -d example.com -d api.example.com
certonly. With the webroot plugin, you probably want to use the "certonly" command, eg:*.example.com, requires a plugin.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS./var/www/<your site> not work for rails project.