Honestly, TJ, I was expecting so much worse. It looks to me like you have a fairly solid grasp on what you're doing, @tjluoma, so I feel confident in giving you the "fix" in brief.
Important: Use sudo for all commands related to the following steps.
Move all of the directories in /etc/letsencrypt/not-live back into /etc/letsencrypt/live whence they came.
For any of the following certificates that you actually want to delete:
Run the following command:
sudo certbot delete --cert-name CERTNAME
where CERTNAME is the name of the certificate (i.e. the name of the configuration file without the .conf on the end).
I assume that you want to delete worship.luo.ma at the very least.
Given that you deleted the worship.luo.ma certificate, you will want to:
Rename worship.luo.ma-0001 to worship.luo.ma in the /etc/letsencrypt/archive and /etc/letsencrypt/live directories.
Update the symlinks in /etc/letsencrypt/live to remove -0001.
Rename worship.luo.ma-0001.conf to worship.luo.ma.conf in the /etc/letsencrypt/renewal directory.
Open /etc/letsencrypt/renewal/worship.luo.ma.conf with your favorite text editor and change all 5 mentions of worship.luo.ma-0001 to worship.luo.ma.
Look through your Apache configuration and change any mention of worship.luo.ma-0001 to worship.luo.ma. Make certain that any certificates you have deleted are not mentioned anywhere. Reload Apache with apachectl -k graceful after you've made your changes.
If you want to "disable" a certificate:
Create a /etc/letsencrypt/non-renewal directory.
Move the configuration files of the certificates you want to "disable" from /etc/letsencrypt/renewal to /etc/letsencrypt/non-renewal.
Make absolutely certain that you do not include any of the "disabled" domain names on a new certificate request.
They are all still valid, although the permissions and group ownership are slightly different. Not sure if that matters.
I re-ran sudo certbot certificates and saw this error:
Renewal configuration file /etc/letsencrypt/renewal/worship.luo.ma.conf produced an unexpected error: target /etc/letsencrypt/archive/worship.luo.ma-0001/cert1.pem of symlink /etc/letsencrypt/live/worship.luo.ma/cert.pem does not exist. Skipping.
Ah, so there's a link that's pointing to the old directory.
To fix that, I did this:
% cd /etc/letsencrypt/live/worship.luo.ma
% ls ../../archive/worship.luo.ma/cert*pem
% sudo rm /etc/letsencrypt/live/worship.luo.ma/cert.pem
% sudo ln -s ../../archive/worship.luo.ma/cert1.pem cert.pem
Then I re-ran sudo certbot certificates and saw this error:
Renewal configuration file /etc/letsencrypt/renewal/worship.luo.ma.conf produced an unexpected error: target /etc/letsencrypt/archive/worship.luo.ma-0001/privkey1.pem of symlink /etc/letsencrypt/live/worship.luo.ma/privkey.pem does not exist. Skipping.
I should have seen that coming.
I checked all the files in that folder, and realized there were 3 other files / links that need to be updated: chain.pem, fullchain.pem, and privkey.pem.
Q1: I assume that I should renew worship.luo.manow so that it will (almost) be lined up with the other domains, which are all due for renewal in 88 days? That way (I think) I should be able to renew all of them at the same time next time they are due.