Now both domains are showing an error. What did we do wrongly? The behavior we’d like is that if any of those domains are typed in the browser, we’d like the user to be taken to https://baystreetclinic.com/<request path>. Thanks.
(--renew-by-default, also known by its newer name --force-renewal, isn't needed for this. It's just for renewing certificates unnecessarily. You're adding new names, which is different.)
https://baystreetclinic.com/ is using a certificate for baystreetclinic.ca right now, probably because of the certbot command you ran.
https://baystreetclinic.ca/ is using a certificate for shanx.com. I'm not sure why. It may be the default certificate if there isn't a server block with a matching server_name.
Could you paste "certbot certificates" and "nginx -T"?
I can the command you suggested, and now baystreetclinic.com seems to be working, but the .ca is pointing to the default server. Also the www.baystreetclinic.com still points to the default server too?
You could add the other hostnames in the server_name line. I think that will explain to nginx that you want it to use that port 443 server block (including the baystreetclininc.com certificate) for all of the hostnames, not just for baystreetclininc.com itself).