Thank you Brad. I have those both cases in my httpd.conf file, and also don’t see any problems. So, we are on the same page here.
However, I still don’t see what is the case that you are trying to describe. I guess, an example of pre-certbot vhosts and SSL requests would help me, as my knowledge is rather limited here.
As far as I can tell, if there are two TLDs involved, the two cases (sans Redirect statements) that I provided cover all possible vhost situations. Of course, on the top of that you need to lay the SSL request. However, from what you are describing, I gather that due to some potential issues with certbot code not having enough information or not having a proper logic, against apache recommendation certbot is pushing REWRITE statements for all possible cases. And one of manifestations of that is this exact thread, where UFONinja is confused (like a lot of others), and a convoluted solution is being pushed on him. Although, this is another issue (the first being certbot producing REWRITE, the second is still pushing REWRITE in this community),
Don’t get me wrong, I don’t have a bone in this discussion, as I need to do manual updates, and modified my httpd.conf/ssl.conf manually. I am also really greatful for what Letsencrypt provides.