Don't copy the LE certificates. Instead use the ssl-cert group to
manage access to the LE certificates directly. See
https://github.com/letsencrypt/letsencrypt/issues/1425 for a request to
have the LE client do this itself.
Use Let's Encrypt for generating site certificates
This method uses Subjective Alternative Names (SANs) to get one
certificate for all the subdomains that Sovereign employs, whether or
not the user configured their site with the roles.
Avoid using the Include directive. Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.