But this in fact caused the certificate and browsers to get confused. I realize now (perhaps it’s a bug) but the second item should have been at the start no vic versa. I no longer was receiving a ‘safe’ certificate on the subdomain.
So then I revoked the certificate locally and attempted to create a new one. Ironically, no matter what I do the certificate is ALWAYS regenerated with the www.mysite.org even though I have another certificate specifically just for that.
Hmmm not exactly the same issue since you did not revoke your original key. But definitely an issue related to the attachment of other domains on the same key
Would you mind sharing your <VirtualHost>s and your domain?
A couple of things:
Revocation is usually not something you need to bother with unless your private key is stolen. It’s not what you need to do when you’re replacing a certificate, or if there’s a problem with your certificate or configuration (it doesn’t actually fix any of that, it just tells browsers: This cert is bad).
The order in which you list the domains doesn’t matter.
I understand the issues around revoking as well but I cannot see anyway in the system to actually remove a domain from a certificate. In my case, it was simply causing issues after it was added. Personally, I don’t understand why but before I added it life was fantastic.
It would help if you could share your domain so we can take a look at the actual site and certificate.
I noticed that your configuration is pointing to a certificate in cloud.mysite.org-0001. This -000X-like directory structure usually gets created when you add additional subdomains to a certificate without using the --expand option. This will create what’s called a new certificate lineage, leaving the previous certificate in place. It tends to be rather confusing.
I’d recommend taking a look around in other subdirectories of /etc/letsencrypt/live/ and checking which domains are covered by the cert.pem files in there. You can do that using openssl x509 -text -noout -in /etc/letsencrypt/live/cloud.mysite.org-0001/cert.pem | grep DNS.
Another option would be to start from scratch, include all domains you’ll need right away and using --expand for any future additions. I wrote a post on how to delete certificate lineages a while back which might be of use here. Given that you’re also using the apache plugin, you’d have to delete any reference to /etc/letsencrypt/ from your apache configuration first (for example via grep -r "/etc/letsencrypt" /etc/apache2/).
