It would help if you could share your domain so we can take a look at the actual site and certificate.
I noticed that your configuration is pointing to a certificate in cloud.mysite.org-0001. This -000X-like directory structure usually gets created when you add additional subdomains to a certificate without using the --expand option. This will create what’s called a new certificate lineage, leaving the previous certificate in place. It tends to be rather confusing.
I’d recommend taking a look around in other subdirectories of /etc/letsencrypt/live/ and checking which domains are covered by the cert.pem files in there. You can do that using openssl x509 -text -noout -in /etc/letsencrypt/live/cloud.mysite.org-0001/cert.pem | grep DNS.
Another option would be to start from scratch, include all domains you’ll need right away and using --expand for any future additions. I wrote a post on how to delete certificate lineages a while back which might be of use here. Given that you’re also using the apache plugin, you’d have to delete any reference to /etc/letsencrypt/ from your apache configuration first (for example via grep -r "/etc/letsencrypt" /etc/apache2/).