In order to support automatic LetsEncrypt certificate renewal certbot uses the --apache handler.
e.g.
certbot renew --apache
This handler installs a temporary VirtualHost for */.well-known/acme-challenge/ on the Apache server in order authenticate the renewal.
The problem is that this mechanism does not work if the existing virtual server uses HTTPS and Django over WSGI mounted on the http server root.
The temporary VirtualHost fails to capture the URL and so Django tries to service the request (and fails) as the URL is not in it's list of URLs.
Writing the question made me think about how it works, so I then worked out the answer. As I could not find an answer to what must be a common issue I thought I'd post what I have found.
There are other solutions, E.g. certbot-django and django-letsencrypt but both are fare more hastle than just letting the stock certbot handle it.
The --apache certbot handler places it's files in /var/lib/letsencrypt/http_challenges, so all that is required is to have Apache handle those files in the same way as the docs recommend for static files.