Schoen asked me to take a look at this.
What I think is going on here is you have a single virtual host in /etc/apache2/sites-available/lite.skop.es-le-ssl.conf that is serving pasa.skop.es and rcsa.skop.es (and maybe cp2.skop.es). This is because you have no other virtual hosts for these domains listening on port 443 and you have ServerAlias *.skop.es in your configuration file.
When you run certbot --apache -d subdomain.skop.es, you are asking Certbot to install a cert containing only the name subdomain.skop.es into the virtual host for that domain. Since this virtual host is shared between at least two domains when you do this, you are removing the existing certificate in the virtual host and replacing it with the one for subdomain.skop.es.
I have a few solutions for you depending on your preferences, but I listed them in order of most to least recommended.
- If you are fine having multiple names in a single certificate and you don’t need your server to work for arbitrary subdomains like
abc.skop.es, you should include multiple domains on the command line. For example, if the two domains you’re having trouble with arepasa.skop.esandrcsa.skop.esyou should run sudo certbot --apache -d pasa.skop.es,rcsa.skop.es`. - If you don’t want multiple names in a single certificate and you don’t need your server to work for arbitrary subdomains like
abc.skop.es, you should delete the lineServerAlias *.skop.esfrom your Apache configuration and run bothsudo certbot --apache -d pasa.skop.esandsudo certbot --apache -d rcsa.skop.esagain. - If you need your server to work for arbitrary subdomains, you’ll need to obtain a wildcard certificate. It is strongly recommended not do to this unless you need it which based on the information I have, I don’t think you do.
I hope this helps!