Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: bogend.ca
I ran this command: browsing with chrome or galaxy browser
It produced this output: ERR_CERT_COMMON_NAME_INVALID
My web server is (include version): Apache 2.4.6
The operating system my web server runs on is (include version): Centos 7
My hosting provider, if applicable, is: Digital Oceans
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0
What seems to be the problem, is that I did not create a wildcard certificate that would handle www when I created "bogend.ca" certificate. I have tried to create a specific certificate for www, but it would not install.
I have now deleted the "bogend.ca" certificate and am trying to create a wildcard "*.bogend.ca" certificate
If you just need the apex and www names just have them both on one certificate. No need for wildcard and DNS validation. You did not describe the certbot command you used but you would typically just specify both domains in the command like:
-d "bogend.ca,www.bogend.ca"
Your Apache VirtualHost would need to have them both as a name or alias.
Wildcard certs don't cover apex names.
Because they can only cover names that end with ".example.com"
[notice the "." in the name. "example.com" lacks that leading "." and won't ever match]
So you would have to request a cert with two names on it: *.exmple.com example.com
Also note: Wildcard certs can't be authenticated via HTTP - they require DNS authentication.
DNS authentication requires making TXT record updates to public DNS zone.
Automation DNS updates requires the DNS Service Provider (DSP) to support updates via API.
The ACME client used must also have an API plugin that supports that particular DSP.
Ended up doing a double certificate with bogend.ca and www.bogend.ca
No wildcard certificates now and each subdomain has its own certificate:
www, mail, webmail, black-widow and the apex.