Apache2 serves wrong certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
clanmills.com

I would like to use the subdomain familytree.clanmills.com
I ran this command:

503 rmills@rmillsm4:~/clanmills $ curl --verbose https://familytree.clanmills.com
* Host familytree.clanmills.com:443 was resolved.
* IPv6: (none)
* IPv4: 147.93.86.33
*   Trying 147.93.86.33:443...
* Connected to familytree.clanmills.com (147.93.86.33) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=clanmills.com
*  start date: Oct  5 12:06:51 2025 GMT
*  expire date: Jan  3 12:06:50 2026 GMT
*  subjectAltName does not match host name familytree.clanmills.com
* SSL: no alternative certificate subject name matches target host name 'familytree.clanmills.com'
* Closing connection
curl: (60) SSL: no alternative certificate subject name matches target host name 'familytree.clanmills.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My certificates are:
504 rmills@rmillsm4:~/clanmills $ ssh root@clanmills.com 'certbot certificates'
Found the following certs:
Certificate Name: clanmills.co.uk-0001
Serial Number: 619bc4c9ab66e0794674a96dcdd55146df1
Key Type: ECDSA
Domains: clanmills.co.uk
Expiry Date: 2025-11-23 11:03:36+00:00 (VALID: 48 days)
Certificate Path: /etc/letsencrypt/live/clanmills.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clanmills.co.uk-0001/privkey.pem
Certificate Name: clanmills.co.uk-0002
Serial Number: 619bc4c9ab66e0794674a96dcdd55146df1
Key Type: ECDSA
Domains: clanmills.co.uk
Expiry Date: 2025-11-23 11:03:36+00:00 (VALID: 48 days)
Certificate Path: /etc/letsencrypt/live/clanmills.co.uk-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clanmills.co.uk-0002/privkey.pem
Certificate Name: clanmills.com
Serial Number: 53d160eb657cd3f7fe9470bdc74b104672a
Key Type: ECDSA
Domains: clanmills.com clanmills.co.uk www.clanmills.co.uk www.clanmills.com
Expiry Date: 2026-01-03 12:06:50+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/clanmills.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clanmills.com/privkey.pem
Certificate Name: familytree.clanmills.co.uk
Serial Number: 6856644980a44b9b34790c464dd70068b85
Key Type: ECDSA
Domains: familytree.clanmills.co.uk
Expiry Date: 2026-01-03 13:30:26+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/familytree.clanmills.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/familytree.clanmills.co.uk/privkey.pem
Certificate Name: familytree.clanmills.com-0001
Serial Number: 6703624f97eef184df013a4032dd58f2cf8
Key Type: ECDSA
Domains: familytree.clanmills.com
Expiry Date: 2026-01-03 13:32:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/familytree.clanmills.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/familytree.clanmills.com-0001/privkey.pem
Certificate Name: familytree.clanmills.com
Serial Number: 669fd0afaffcb0a11344f15407089bdd1d5
Key Type: ECDSA
Domains: familytree.clanmills.com familytree.clanmills.co.uk
Expiry Date: 2026-01-03 13:28:56+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem

505 rmills@rmillsm4:~/clanmills $

My web server is (include version):

506 rmills@rmillsm4:~/clanmills $ ssh root@clanmills.com 'apachectl status'
Apache Server Status for localhost (via ::1)

Server Version: Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13
Server MPM: event
Server Built: 2025-08-11T11:10:09
__________________________________________________________________

Current Time: Sunday, 05-Oct-2025 16:38:12 BST
Restart Time: Sunday, 05-Oct-2025 16:00:40 BST
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 37 minutes 31 seconds
Server load: 0.02 0.02 0.00
Total accesses: 653 - Total Traffic: 228.3 MB - Total Duration: 5010
CPU Usage: u.82 s.75 cu0 cs0 - .0697% CPU load
.29 requests/sec - 103.9 kB/second - 358.0 kB/request - 7.67228
ms/request

1 requests currently being processed, 0 workers gracefully restarting,
49 idle workers

Slot PID Stopping Connections Threads Async connections
total accepting busy graceful idle writing keep-alive closing
0 1640 no 0 yes 1 0 24 0 0 0
1 1641 no 0 yes 0 0 25 0 0 0
Sum 2 0 0 1 0 49 0 0 0

W_________________..............
................................................................
......................

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
'www-browser -dump http://localhost:80/server-status' failed.
Maybe you need to install a package providing www-browser or you
need to adjust the APACHE_LYNX variable in /etc/apache2/envvars

The operating system my web server runs on is (include version):

505 rmills@rmillsm4:~/clanmills $ ssh root@clanmills.com 'uname -a'
Linux clanmills.co.uk 6.8.0-85-generic #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
It's a VPS hosted by hostinger.com

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.  I use the terminal via ssh.

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):

507 rmills@rmillsm4:~/clanmills $ ssh root@clanmills.com 'certbot --version'
certbot 2.9.0
508 rmills@rmillsm4:~/clanmills $

Well, that's a little bit of a mess there You have a number of overlapping certificates. We should delete the ones you don't use.

And, you have 3 certificates related to familytree and your Apache isn't using any of them. Mind, only 2 of these 3 have the .com version with the 3rd for the .co.uk name.

So, let's start by seeing output of this to see what Apache is using

apachectl -t -D DUMP_VHOSTS

Correct, Mike. It's a pigsty. I'm new to certificate magic. I was sure that a kind soul would like pity on me. Thank you for getting involved.

511 rmills@rmillsm4:~/GD/Scores/Cove Brass/Small Band $ ssh root@clanmills.com 'apachectl -t -D DUMP_VHOSTS'
VirtualHost configuration:
[2a02:4780:f:93fe::1]:443 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
[2a02:4780:f:93fe::1]:80 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
147.93.86.33:80        clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
*:80                   clanmills.com (/etc/apache2/sites-enabled/clanmills.com.conf:1)
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias www.clanmills.co.uk
         port 443 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com-le-ssl.conf:2)
                 alias www.clanmills.com
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
[Sun Oct 05 18:13:55.381052 2025] [core:error] [pid 9383:tid 138937009297280] (EAI 2)Name or service not known: AH00547: Could not resolve host name familytree.clanmills.com -- ignoring!
AH00112: Warning: DocumentRoot [/var/www/familytree] does not exist
512 rmills@rmillsm4:~/GD/Scores/Cove Brass/Small Band $ 

I've fixed: AH00112: Warning: DocumentRoot [/var/www/familytree] does not exist and now:

root@clanmills:/var/www# ls -l
total 8
lrwxrwxrwx  1 root   root    14 Jul 11 14:44 clanmills.co.uk -> /var/www/html/
lrwxrwxrwx  1 root   root    14 Jun 26 15:22 clanmills.com -> /var/www/html/
lrwxrwxrwx  1 root   root    25 Oct  5 18:26 familytree -> /var/www/html/familytree/
drwxr-xr-x 48 rmills staff 4096 Sep 29 14:18 html
drwxr-xr-x  2 root   root  4096 Oct  5 08:38 webalizer
root@clanmills:/var/www# apachectl -t -D DUMP_VHOSTS
[Sun Oct 05 18:26:50.785704 2025] [core:error] [pid 10060:tid 134690669885312] (EAI 2)Name or service not known: AH00547: Could not resolve host name familytree.clanmills.com -- ignoring!
VirtualHost configuration:
[2a02:4780:f:93fe::1]:443 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
[2a02:4780:f:93fe::1]:80 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
147.93.86.33:80        clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
*:80                   clanmills.com (/etc/apache2/sites-enabled/clanmills.com.conf:1)
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias www.clanmills.co.uk
         port 443 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com-le-ssl.conf:2)
                 alias www.clanmills.com
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
root@clanmills:/var/www# 

I'm in trouble with both the certificates and /etc/apache2/sites-available/

Oh boy. So, you have a complex mix of IP-based and Name-Based VirtualHosts to go along with your certificate "pigsty" (your words )

Let's sort out your port 80 VHosts first. Mind you, none of this is complicated but walking you through this carefully to avoid inducing other problems will take some time.

Please show contents of these two files. Ideally wrap the contents as "preformatted text" so we don't lose Apache tags to the forum's formatting. I can fix that if you don't but nicer if I don't have to.

/etc/apache2/sites-enabled/clanmills.co.uk.conf
/etc/apache2/sites-enabled/clanmills.com.conf

It's unholy mess. I am guilty. I don't know how some of this code arrived on the server! I will be happy to pay you a consultancy fee to fix this mess.

root@clanmills:/etc/apache2/sites-available# ls -l
total 36
-rw-r--r-- 1 root root   33 Mar  5  2025 000-default-le-ssl.conf
-rw-r--r-- 1 root root 1419 Feb  7  2025 000-default.conf
-rw-r--r-- 1 root root 1887 Aug 25 11:32 clanmills.co.uk-le-ssl.conf
-rw-r--r-- 1 root root 1166 Jul 10 18:44 clanmills.co.uk.conf
-rw-r--r-- 1 root root  482 Aug 25 11:32 clanmills.com-le-ssl.conf
-rw-r--r-- 1 root root  441 Jun 26 12:23 clanmills.com.conf
-rw-r--r-- 1 root root 4573 Mar 18  2024 default-ssl.conf
-rw-r--r-- 1 root root  552 Oct  5 15:30 familytree-le-ssl.conf
root@clanmills:/etc/apache2/sites-available# 

1. /etc/apache2/sites-enabled/clanmills.co.uk.conf

root@clanmills:/etc/apache2/sites-available# cat /etc/apache2/sites-enabled/clanmills.co.uk.conf
<VirtualHost 147.93.86.33:80 [2a02:4780:f:93fe::1]:80>
    ServerName clanmills.co.uk
    ServerAlias clanmills.co.uk
    ServerAlias www.clanmills.co.uk
    ServerAlias www.clanmills.co.uk
    DocumentRoot /home/._default_hostname/public_html
    ErrorLog /var/log/virtualmin/clanmills.co.uk_error_log
    CustomLog /var/log/virtualmin/clanmills.co.uk_access_log combined
    ScriptAlias /cgi-bin/ /home/._default_hostname/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/._default_hostname/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        AddType text/plain .php
    </Directory>
    <Directory /home/._default_hostname/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    RemoveHandler .php
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =clanmills.co.uk
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
root@clanmills:/etc/apache2/sites-available# 

2. /etc/apache2/sites-enabled/clanmills.com.conf

root@clanmills:/etc/apache2/sites-available# cat /etc/apache2/sites-enabled/clanmills.co.uk.conf
<VirtualHost 147.93.86.33:80 [2a02:4780:f:93fe::1]:80>
    ServerName clanmills.co.uk
    ServerAlias clanmills.co.uk
    ServerAlias www.clanmills.co.uk
    ServerAlias www.clanmills.co.uk
    DocumentRoot /home/._default_hostname/public_html
    ErrorLog /var/log/virtualmin/clanmills.co.uk_error_log
    CustomLog /var/log/virtualmin/clanmills.co.uk_access_log combined
    ScriptAlias /cgi-bin/ /home/._default_hostname/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/._default_hostname/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        AddType text/plain .php
    </Directory>
    <Directory /home/._default_hostname/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    RemoveHandler .php
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =clanmills.co.uk
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
root@clanmills:/etc/apache2/sites-available# cat /etc/apache2/sites-enabled/clanmills.com.conf
<VirtualHost *:80>
    ServerName clanmills.com
    ServerAlias www.clanmills.com
    DocumentRoot /var/www/clanmills.com

    ErrorLog ${APACHE_LOG_DIR}/clanmills.com-error.log
    CustomLog ${APACHE_LOG_DIR}/clanmills.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =clanmills.com [OR]
RewriteCond %{SERVER_NAME} =www.clanmills.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
root@clanmills:/etc/apache2/sites-available# 

Okay. The first step is easy. We'll get rid of IP-based VHost for port 80. There are certain, more complex, systems that require IP-based but Name-based are preferred and far more common.

In /etc/apache2/sites-enabled/clanmills.co.uk.conf
Change
<VirtualHost 147.93.86.33:80 [2a02:4780:f:93fe::1]:80>
to
<VirtualHost *:80>

You could/should remove the duplicated ServerAlias names in that file too. You just need the one ServerName and one ServerAlias for the other name. For some reason you repeat the names. This just cleans up the diagnostic output (and eliminates chances for typos causing wrong outputs)

After you did that and checked your work with sudo apachectl -t -D DUMP_VHOSTS show this config file. You show it in sites-available. Is it also in sites-enabled?

familytree-le-ssl.conf

Mike. If you send me your public key, I can give you access ssh access to the server.

I'm not too sure how that stuff got there. The server was originally called clanmills.co.uk. Simple. No familytree.clanmills.anything and No clanmills.com

When that seemed to be working OK for about three months, I decided to move clanmills.com from a hosted server. I added the WebMin/VirtualAdmin control panel which changed the webserver and moved the website to /home/._default_hostname/

Here is sites-enabled:

root@clanmills:/etc/apache2/sites-available# ls -l ../sites-enabled/
total 0
lrwxrwxrwx 1 root root 52 Feb  7  2025 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root 56 Jun 26 12:24 clanmills.co.uk-le-ssl.conf -> /etc/apache2/sites-available/clanmills.co.uk-le-ssl.conf
lrwxrwxrwx 1 root root 49 Feb  7  2025 clanmills.co.uk.conf -> /etc/apache2/sites-available/clanmills.co.uk.conf
lrwxrwxrwx 1 root root 54 Jun 26 12:23 clanmills.com-le-ssl.conf -> /etc/apache2/sites-available/clanmills.com-le-ssl.conf
lrwxrwxrwx 1 root root 37 Jun 26 12:22 clanmills.com.conf -> ../sites-available/clanmills.com.conf
lrwxrwxrwx 1 root root 41 Oct  5 11:54 familytree-le-ssl.conf -> ../sites-available/familytree-le-ssl.conf
root@clanmills:/etc/apache2/sites-available# 

And familytree-le-ssl.conf

root@clanmills:/etc/apache2/sites-available# cat familytree-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost familytree.clanmills.com:443>
    ServerName familytree.clanmills.com
    ServerAlias familytree.clanmills.com
    DocumentRoot /var/www/familytree

    ErrorLog ${APACHE_LOG_DIR}/clanmills.com-error.log
    CustomLog ${APACHE_LOG_DIR}/clanmills.com-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/familytree.clanmills.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/familytree.clanmills.com-0001/privkey.pem
</VirtualHost>
</IfModule>
root@clanmills:/etc/apache2/sites-available# 

To avoid making things worse, I won't change anything if you prefer to send your public key.

Yeah, I don't offer help outside of this forum.

You should make the changes to that port 80 VHost that I described. We want to get rid of all the IP-based VHosts.

As for /etc/apache2/sites-available/familytree-le-ssl.conf ...

Change

<VirtualHost familytree.clanmills.com:443>
    ServerName familytree.clanmills.com
    ServerAlias familytree.clanmills.com

To:

<VirtualHost *:443>
    ServerName familytree.clanmills.com

This changes IP-based to Name-Based and removes an unneeded ServerAlias.

After making above changes you must restart Apache.

After all that then please show output of this again

apachectl -t -D DUMP_VHOSTS

Wow. That's a LOT better. Thank you.

root@clanmills:/etc/apache2/sites-available# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a02:4780:f:93fe::1]:443 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com.conf:1)
                 alias www.clanmills.com
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias www.clanmills.co.uk
         port 443 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com-le-ssl.conf:2)
                 alias www.clanmills.com
         port 443 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree-le-ssl.conf:2)
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
root@clanmills:/etc/apache2/sites-available# 

curl appears to be happy with three urls: https://clanmills.com, https://clanmills.co.uk and https://familytree.clanmills.com

curl is unhappy to with url https://familytree.clanmills.co.uk and that make sense because familytree-le-ssl.conf is configured for clanmills.com. I should create create familytree-couk-le-ssl.conf to service that URL.

Do you think we're done here, or do I need more "bathroom air freshner" in /etc/apache2?

Screenshot 2025-10-05 at 20.17.251199×551 219 KB

Much more air freshener needed sorry to say

Looks like you removed one too many ServerAlias lines from:
/etc/apache2/sites-enabled/clanmills.co.uk.conf
Add one like this in that file VHost
ServerAlias www.clanmills.co.uk

No, don't create another file just add the .co.uk name as a ServerAlias name in familytree-le-ssl.conf

Then, change these two lines:

SSLCertificateFile /etc/letsencrypt/live/familytree.clanmills.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/familytree.clanmills.com-0001/privkey.pem

to

SSLCertificateFile /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem

Why? Because your -0001 cert only has the .com name in it. But, your original cert had both .com. and .co.ukso it works for both.

Once that is done we need to sort out your Certbot renewal profile for familytree.

I'll wait until all that is done and I'll verify it. Then I'll instruct on that rest

I've done that (hopefully correctly). I'm not sure! (please forgive my mistakes)

root@clanmills:/etc/apache2/sites-enabled# cat familytree-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName familytree.clanmills.com
    ServerAlias familytree.clanmills.co.uk
    DocumentRoot /var/www/familytree

    ErrorLog ${APACHE_LOG_DIR}/clanmills.com-error.log
    CustomLog ${APACHE_LOG_DIR}/clanmills.com-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem
</VirtualHost>
</IfModule>
root@clanmills:/etc/apache2/sites-enabled# 

Here is the DUMP_VHOSTS output:

root@clanmills:/etc/apache2/sites-available# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a02:4780:f:93fe::1]:443 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
                 alias www.clanmills.co.uk
         port 80 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com.conf:1)
                 alias www.clanmills.com
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias www.clanmills.co.uk
         port 443 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com-le-ssl.conf:2)
                 alias www.clanmills.com
         port 443 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree-le-ssl.conf:2)
                 alias familytree.clanmills.co.uk
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)

Excellent. Looking much better. I hope you are starting to see the pattern I'm going for.

Let's delete the 2 unused Certbot certs for familytree. Otherwise Certbot will try to renew those "forever".

Run below. Use sudo if you need it but you haven't so far so probably not

certbot delete --cert-name familytree.clanmills.com-0001
certbot delete --cert-name familytree.clanmills.co.uk

Then, please show this file so we can sort out the Certbot renewal for this one

/etc/letsencrypt/renewal/familytree.clanmills.com.conf

You can redact the account number when posting if you wish

I think I'm following you. For sure, I know that I appreciate your help and skills.

root@clanmills:/etc/letsencrypt# cat /etc/letsencrypt/renewal/familytree.clanmills.com.conf
# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/familytree.clanmills.com
cert = /etc/letsencrypt/live/familytree.clanmills.com/cert.pem
privkey = /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem
chain = /etc/letsencrypt/live/familytree.clanmills.com/chain.pem
fullchain = /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem

# Options used in the renewal process

[renewalparams]
account = 60...69
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
root@clanmills:/etc/letsencrypt#

On the home stretch for familytree

Make a new file named familytree.conf in sites-available. Then, use command a2ensite to activate it (by making the symlink in sites-enabled). You should see these two domain names listed in the *:80 section of the DUMP_VHOSTS command when complete

<VirtualHost *:80>
    ServerName familytree.clanmills.com
    ServerAlias familytree.clanmills.co.uk
    DocumentRoot /var/www/familytree

    ErrorLog ${APACHE_LOG_DIR}/clanmills.com-error.log
    CustomLog ${APACHE_LOG_DIR}/clanmills.com-access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =familytree.clanmills.com [OR]
    RewriteCond %{SERVER_NAME} =familytree.clanmills.co.uk
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Then, test the Certbot renewal with below command. Don't try it unless you see familytree domains show up in the DUMP_VHOSTS. The --dry-run will not affect your production certs or config. It is just a test

certbot renew --dry-run --cert-name familytree.clanmills.com

The -dry-run succeeded:

root@clanmills:/etc/apache2/sites-available# certbot renew --dry-run --cert-name familytree.clanmills.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/familytree.clanmills.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for familytree.clanmills.com and familytree.clanmills.co.uk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@clanmills:/etc/apache2/sites-available# 

I think the DUMP is OK:

root@clanmills:/etc/apache2/sites-available# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
[2a02:4780:f:93fe::1]:443 clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
                 alias www.clanmills.co.uk
         port 80 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com.conf:1)
                 alias www.clanmills.com
         port 80 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree.conf:1)
                 alias familytree.clanmills.co.uk
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias www.clanmills.co.uk
         port 443 namevhost clanmills.com (/etc/apache2/sites-enabled/clanmills.com-le-ssl.conf:2)
                 alias www.clanmills.com
         port 443 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree-le-ssl.conf:2)
                 alias familytree.clanmills.co.uk
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
root@clanmills:/etc/apache2/sites-available# 

You have been very helpful and I would like to give you a reward of $100. Please choose:

1. Email me with your bank transfer details (my email address is on my website).
2. Nominate a good cause such as the Let's Encrypt Foundation or a choice close to your heart.
3. Or decline my generosity because I worked on/maintained the Exiv2 Open Source Project (C++ Image Metadata Library) for 15 years.

235-2353875_fireworks-clipart-fourth-july-fourth-of-july-fireworks-clipart840×532 70.3 KB

That one !

Yes, familytree is looking good. Did you want www subdomains for those? Now is a good time to add them if so.

We could cleanup your other clanmills VHosts too. It's a similar process. That is, have just one VirtualHost for *:80 and one for *:443 with your 4 domain names (clanmills with both .com and .co.uk and the www for each) listed as 1 ServerName and 3 ServerAlias.

Your certificate name clanmills.com (from certbot certificates) already has all 4 domain names in it so the final VHost would use that for the SSLCertificate lines. You could then delete the -0001 and -0002 certs for those.

Choice 3 is the one I hoped you choose!. Thank you.

It's 10pm here in England and I've been working on this since 9am (with breaks of course). I'll go to bed now. During the week I'll review and think about how this really works and consider what else should be done. I don't need www for familytree.

You are the most helpful person I have every met on a forum. Thank you very much indeed.

You are very welcome. Cheers

I found the courage to rewrite the Apache configuration files and deleted unused certificates on clanmills.com. It appears to be working OK.

root@clanmills:/var/www/familytree# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: clanmills.com
    Serial Number: 53d160eb657cd3f7fe9470bdc74b104672a
    Key Type: ECDSA
    Domains: clanmills.com clanmills.co.uk www.clanmills.co.uk www.clanmills.com
    Expiry Date: 2026-01-03 12:06:50+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/clanmills.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/clanmills.com/privkey.pem
  Certificate Name: familytree.clanmills.com
    Serial Number: 669fd0afaffcb0a11344f15407089bdd1d5
    Key Type: ECDSA
    Domains: familytree.clanmills.com familytree.clanmills.co.uk
    Expiry Date: 2026-01-03 13:28:56+00:00 (VALID: 85 days)
    Certificate Path: /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@clanmills:/var/www/familytree# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
                 alias clanmills.com
                 alias www.clanmills.co.uk
                 alias www.clanmills.com
         port 80 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree.conf:1)
                 alias familytree.clanmills.co.uk
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias clanmills.com
                 alias www.clanmills.com
         port 443 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree-le-ssl.conf:2)
                 alias familytree.clanmills.co.uk
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
root@clanmills:/var/www/familytree# 

I only have 2 pairs of configuration files in /etc/apache2/sites-available.

root@clanmills:/etc/apache2/sites-available# ls -l
total 24
-rw-r--r-- 1 root root 1537 Oct  9 14:40 clanmills.co.uk-le-ssl.conf
-rw-r--r-- 1 root root 1188 Oct  9 14:51 clanmills.co.uk.conf
-rw-r--r-- 1 root root 4573 Mar 18  2024 default-ssl.conf
-rw-r--r-- 1 root root  521 Oct  5 20:47 familytree-le-ssl.conf
-rw-r--r-- 1 root root  909 Oct  9 15:06 familytree.conf
root@clanmills:/etc/apache2/sites-available# 

familytree-le-ssl.conf and familytree.conf are unchanged from above. The other pair, service clanmills.co.uk (the original site) and clanmills.com (which used to be hosted elsewhere.)

root@clanmills:/etc/apache2/sites-available# cat clanmills.co.uk.conf 
<VirtualHost *:80>
	# Servernames:
    ServerName  clanmills.co.uk
    ServerAlias clanmills.com
    ServerAlias www.clanmills.co.uk
    ServerAlias www.clanmills.com
    
    # Directories and files:
    DocumentRoot /home/._default_hostname/public_html
    ErrorLog     /var/log/virtualmin/clanmills.co.uk_error_log
    CustomLog    /var/log/virtualmin/clanmills.co.uk_access_log combined
    ScriptAlias  /cgi-bin/     /home/._default_hostname/cgi-bin/
    DirectoryIndex index.php index.htm index.html
    <Directory /home/._default_hostname/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        AddType text/plain .php
    </Directory>
    <Directory /home/._default_hostname/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>

    # rewrite engine
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =clanmills.co.uk
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

root@clanmills:/etc/apache2/sites-available# cat clanmills.co.uk-le-ssl.conf 
<IfModule mod_ssl.c>
    <VirtualHost *:443>
        # Servernames
        ServerName  clanmills.co.uk
        ServerAlias clanmills.co.uk
        ServerAlias www.clanmills.co.uk
        ServerAlias clanmills.com
        ServerAlias www.clanmills.com

        # Directories and files
        DocumentRoot /home/._default_hostname/public_html
        ErrorLog /var/log/virtualmin/clanmills.co.uk_error_log
        CustomLog /var/log/virtualmin/clanmills.co.uk_access_log combined
        ScriptAlias /cgi-bin/ /home/._default_hostname/cgi-bin/

        DirectoryIndex index.php index.htm index.html
        <Directory /home/._default_hostname/public_html>
            Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
            Require all granted
            AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
            AddType text/plain .php
        </Directory>
        <Directory /home/._default_hostname/cgi-bin>
            Require all granted
            AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        </Directory>

        # certificates
        Include /etc/letsencrypt/options-ssl-apache.conf
        RewriteCond %{SERVER_NAME} =clanmills.co.uk
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
        SSLCertificateFile /etc/letsencrypt/live/clanmills.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/clanmills.com/privkey.pem
    </VirtualHost>
</IfModule>

I could not have achieved this result without the help of @MikeMcQ.

Mike, you are a star. Thank You very much.