What does this mean and did we screw up somewhere with the cert returning this?
Lastly, for setting up with the root domain, do we just create another cert with the root domain? Or would there be some application specific way to do this? Since this is not a wildcard cert, how does the community approach it?
Yes, probably the certificate is for the wrong name or names. The most common cause here is that you have a certificate just for www.example.com and that’s not valid for example.com because it’s a different name. Humans think they’re basically the same, but machines do not. You can ask Let’s Encrypt for up to 100 names in the certificate, you will be able to pass the challenges (to prove you control the name) much the same for example.com as for www.example.com
If you use the “cerbot” tool to get certificates and now realise you need extra names in the certificate, check the --expand flag in the documentation for how to add names in an easy to understand way.
If it’s not a missing name, the next thing is to inspect the names on the certificate and the name you typed into the browser carefully to check they’re really the same - in your comment here you wrote sometimes “.test” and sometimes “.text” and of course those are different and it matters in a real system, so check carefully.
Certificates are public documents, in fact your certificates will have automatically been logged to the Certificate Transparency system, and are (or will be in a few hours if new) visible in Log Monitors such as https://crt.sh/
SSL is “public key cryptography” your server has a pair of keys, one public (included in the certificate, and so sent to everybody who connects, as well as being logged as above) and one private, which you (well, your web server) must never show to anybody and which no-one should ask to see. Here’s a cool video if you are inclined to learn why this is even mathematically possible. If you aren’t, don’t worry, it’s pretty simple to remember the public keys are public, so it’s OK for everybody to know what those are, private keys aren’t just secret (like a password), they’re truly private, nobody needs to know them except you.