SSL certificate has another domain for the "subject", and erroneous domains

I've reduced the number of virtual hosts on my computer to make management easier (or so I thought!). I'm now using the one VirtualHost for the company, which I copied below. My aim was that the company website

along with a few common errors in typing that (missing out a k in my name, or using a .com instead of a .co.uk) were caught by buying a couple of extra domains. I've set up Let's encrypt, but whilst the certificate works, and it gets an A at

https://www.ssllabs.com/ssltest/analyze.html?d=kirkbymicrowave.co.uk

the certificate contains a weird Subject, Common name, and list of alternative names, which are completely unrelated to what is wanted.

Subject bitcoinhelp.uk
Common names bitcoinhelp.uk
Alternative names bitcoinhelp.uk dhars.org.uk g8wrb.co.uk kirbymicrowave.co.uk kirkbymicrowave.co.uk kirkbymicrowave.com www.bitcoinhelp.uk www.dhars.org.uk www.g8wrb.co.uk www.kirbymicrowave.co.uk www.kirkbymicrowave.co.uk www.kirkbymicrowave.com

The other domains (bitcoinhelp.co.uk, g8wrb.co.uk and dhargs.org.uk) are all domains I have on the server, in different VirtualHost's but why are they showing up in the SSL certificate? I would only have expected to see at the very most the kirkbymicrowave.co.uk, kirkbymicrowave.com and/or kirbymicrowave.co.uk domains in the one certificate, as they are on the same virtual host. The other domains have nothing whatsoever to do with the company, so I would rather they were not there.

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName  kirkbymicrowave.co.uk
        # Add www
        ServerAlias www.kirkbymicrowave.co.uk

        # .com
        ServerAlias kirkbymicrowave.com
        ServerAlias www.kirkbymicrowave.com

        # Wrong spelling
        ServerAlias kirbymicrowave.co.uk
        ServerAlias www.kirbymicrowave.co.uk

        ServerAdmin drkirkby@kirkbymicrowave.co.uk
        DocumentRoot /var/www/html/kirkbymicrowave.co.uk

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/kirkbymicrowave.co.uk.error.log
        CustomLog ${APACHE_LOG_DIR}/kirkbymicrowave.co.uk.access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bitcoinhelp.uk/privkey.pem
</VirtualHost>
</IfModule>

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kirkbymicrowave.co.uk

I ran this command: # certbot renew --dry-run -v

It produced this output:

root@foobar:/etc/apache2/sites-enabled# certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bitcoinhelp.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for bitcoinhelp.uk and 11 more domains
Performing the following challenges:
http-01 challenge for bitcoinhelp.uk
http-01 challenge for dhars.org.uk
http-01 challenge for g8wrb.co.uk
http-01 challenge for kirbymicrowave.co.uk
http-01 challenge for kirkbymicrowave.co.uk
http-01 challenge for kirkbymicrowave.com
http-01 challenge for www.bitcoinhelp.uk
http-01 challenge for www.dhars.org.uk
http-01 challenge for www.g8wrb.co.uk
http-01 challenge for www.kirbymicrowave.co.uk
http-01 challenge for www.kirkbymicrowave.co.uk
http-01 challenge for www.kirkbymicrowave.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 10.x

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

Please show the output of:
certbot certificates

root@foobar:/etc/apache2# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bitcoinhelp.uk
    Serial Number: 4f10c50fe974d75961bceb666f26a4fcb35
    Key Type: RSA
    Domains: bitcoinhelp.uk dhars.org.uk g8wrb.co.uk kirbymicrowave.co.uk kirkbymicrowave.co.uk kirkbymicrowave.com www.bitcoinhelp.uk www.dhars.org.uk www.g8wrb.co.uk www.kirbymicrowave.co.uk www.kirkbymicrowave.co.uk www.kirkbymicrowave.com
    Expiry Date: 2022-08-05 15:55:32+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bitcoinhelp.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@foobar:/etc/apache2#

Please explain how that fits in with:
"SSL certificate has another domain for the "subject", and erroneous domains"

TL;DR
If you need to remove some names, there are several ways:

• "allow subset of names"
• reissue a new cert with only the names needed

Why when I look at one website for the kirkbymicrowave.co.uk domain does the SSL certificate show the following?
Common Name bitcoinhelp.uk

Should it not show the following, or something similar, instead?
Common Name kirkbymicrowave.co.uk

Why would you expect that? A certificate has only one "common name", and it's pretty much irrelevant which of the FQDNs that belong to the cert are chosen as the common name. When you have multiple domains on a single cert, you're going to get this. But the chance of anyone noticing is slim; hardly anyone looks at the certificate details.

I don't think the "problem" existed until I put the ServerAlias's in the virtual host - previously I had 6 files with just a single ServerName. But it is is a bit of a maintenance nightmare. But now I have all sorts of domains.

I think previously there were a dozen certificates. Now I seem to have one.

I'm in the process of migrating the websites to another server. But I looked on the old server, and see something very different, despite there are essentially the same domains. On that server, each domain has its own certificate, but not here. The only material difference I can think of is using ServerAlias rather than lots of different files. Now I have about 5 configuration files, rather than a dozen or so.

root@localhost:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bitcoinhelp.uk
    Domains: bitcoinhelp.uk www.bitcoinhelp.uk
    Expiry Date: 2022-07-01 16:48:24+00:00 (VALID: 54 days)
    Certificate Path: /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bitcoinhelp.uk/privkey.pem
  Certificate Name: dell-uk-sales.co.uk
    Domains: dell-uk-sales.co.uk www.dell-uk-sales.co.uk
    Expiry Date: 2022-06-08 22:46:59+00:00 (VALID: 32 days)
    Certificate Path: /etc/letsencrypt/live/dell-uk-sales.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dell-uk-sales.co.uk/privkey.pem
  Certificate Name: dhars.org.uk
    Domains: dhars.org.uk www.dhars.org.uk
    Expiry Date: 2022-07-08 05:44:12+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/dhars.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dhars.org.uk/privkey.pem
  Certificate Name: g8wrb.co.uk
    Domains: g8wrb.co.uk www.g8wrb.co.uk
    Expiry Date: 2022-07-08 05:44:23+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/g8wrb.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/g8wrb.co.uk/privkey.pem
  Certificate Name: gnucash.kirkbymicrowave.co.uk
    Domains: gnucash.kirkbymicrowave.co.uk
    Expiry Date: 2022-07-28 10:23:27+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/gnucash.kirkbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gnucash.kirkbymicrowave.co.uk/privkey.pem
  Certificate Name: kirbymicrowave.co.uk
    Domains: kirbymicrowave.co.uk
    Expiry Date: 2022-07-08 05:44:33+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/kirbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirbymicrowave.co.uk/privkey.pem
  Certificate Name: kirkbymicrowave.co.uk
    Domains: kirkbymicrowave.co.uk www.kirkbymicrowave.co.uk
    Expiry Date: 2022-07-08 05:44:44+00:00 (VALID: 61 days)
    Certificate Path: /etc/letsencrypt/live/kirkbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirkbymicrowave.co.uk/privkey.pem
  Certificate Name: kirkbymicrowave.com
    Domains: kirkbymicrowave.com
    Expiry Date: 2022-07-27 09:17:58+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/kirkbymicrowave.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirkbymicrowave.com/privkey.pem
  Certificate Name: www.bitcoinhelp.uk
    Domains: www.bitcoinhelp.uk
    Expiry Date: 2022-07-01 16:48:29+00:00 (VALID: 54 days)
    Certificate Path: /etc/letsencrypt/live/www.bitcoinhelp.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.bitcoinhelp.uk/privkey.pem
  Certificate Name: www.kirbymicrowave.co.uk
    Domains: www.kirbymicrowave.co.uk
    Expiry Date: 2022-07-09 01:02:57+00:00 (VALID: 62 days)
    Certificate Path: /etc/letsencrypt/live/www.kirbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.kirbymicrowave.co.uk/privkey.pem
  Certificate Name: www.kirkbymicrowave.com
    Domains: www.kirkbymicrowave.com
    Expiry Date: 2022-07-27 09:18:09+00:00 (VALID: 80 days)
    Certificate Path: /etc/letsencrypt/live/www.kirkbymicrowave.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.kirkbymicrowave.com/privkey.pem

So, what would you like to do?

If possible, generate certificates which do not mention other domains in them.

As a test, I used a similar configuration to the old server - removed the server alias entries. Then I run certbot again, and found it generated multiple certificates. However, each certificate has a common name of bitcoinhelp.uk.

I currently have 6 domains on the server, so 12 files, as one has the www and one does not. I'm wondering if I
.

1. Deleted all the contents of /etc/letsencrypt
2. Deleted the the configuration files in /etc/apache2/sites-enabled and /etc/apache2/sites-available
3. Re-run certbot, but this time, instead of asking it to generate certificates for all 6 domains, just pick one domain. Then run certbot again, and ask it to generate a certificate for a second domain. I'd need to run it 6 times.

Hopefully, those 6 certificates will have a common name matching the domain, with no mention of other domains.

I'll give that a try later.

FYI:
Certificates can hold many entries (in the SAN field).
LE limits that to 100.
Any cert with more than one name in the SAN will suffer from the

because there is only one common name field [which can only hold one single entry].

As mentioned:

This is a very common practice by all shared hosting services and CDNs [more than half of all the sites in use].

But if you really want the common name to match the site that uses it, then you will have to issue a cert for each site/name.
[there is no way around that]

And each server block will have to only serve one single site/name.
[this means you will have to split the aliases into their own separate primary server blocks]

From there, you can have certbot issue certs for each one [individually].

Once all the sites are created and updated to use their individual certs, don't forget to remove the cert with all the names on it.

I've got around the "problem" - at least I saw it as a problem, although responses from other people indicate that I should not have been concerned about this, and it's common practice. But personally I did not like it. I don't have any weird domain names, but if I had my-professional-company.com and my-sexual-likes.net, I would rather that the SSL certificate for my-professional-company.com did not have references to my-sexual-likes.net.

I did the following:

1. Removed the directory /etc/letsencrypt, and undid any changes certbot had made.
2. Put one ServerAlias in each of the configuration files, having one file for each domain. So there were separate files for kirkbymicrowave.co.uk, kirkymicrowave.co.uk, kirkbymicrowave.com, bitcoinhelp.uk, dhars.org.uk and g8wrb.co.uk. So a typical file is like the following.

        ServerName  kirkbymicrowave.co.uk
        ServerAlias www.kirkbymicrowave.co.uk

        ServerAdmin drkirkby@kirkbymicrowave.co.uk
        DocumentRoot /var/www/html/kirkbymicrowave.co.uk

3. Run certbot --apache 6 times, doing one domain at a time, so kirkbymicrowave.co.uk and www.kirkbymicrowave.co.uk were generated at the same time, but nothing else. (See output of two invocations of certbot below)

Now each SSL certificate has the name matching the correct domain I want it to have, and the only that domain is mentioned.

root@foobar:/etc/apache2/sites-enabled#  certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bitcoinhelp.uk
2: www.bitcoinhelp.uk
3: g8wrb.co.uk
4: www.g8wrb.co.uk
5: kirbymicrowave.co.uk
6: www.kirbymicrowave.co.uk
7: kirkbymicrowave.co.uk
8: www.kirkbymicrowave.co.uk
9: kirkbymicrowave.com
10: www.kirkbymicrowave.com
11: dhars.org.uk
12: www.dhars.org.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Requesting a certificate for bitcoinhelp.uk and www.bitcoinhelp.uk

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/bitcoinhelp.uk/privkey.pem
This certificate expires on 2022-08-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for bitcoinhelp.uk to /etc/apache2/sites-available/bitcoinhelp.uk-le-ssl.conf
Successfully deployed certificate for www.bitcoinhelp.uk to /etc/apache2/sites-available/bitcoinhelp.uk-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://bitcoinhelp.uk and https://www.bitcoinhelp.uk
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@foobar:/etc/apache2/sites-enabled#  certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: bitcoinhelp.uk
2: www.bitcoinhelp.uk
3: g8wrb.co.uk
4: www.g8wrb.co.uk
5: kirbymicrowave.co.uk
6: www.kirbymicrowave.co.uk
7: kirkbymicrowave.co.uk
8: www.kirkbymicrowave.co.uk
9: kirkbymicrowave.com
10: www.kirkbymicrowave.com
11: dhars.org.uk
12: www.dhars.org.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3 4
Requesting a certificate for g8wrb.co.uk and www.g8wrb.co.uk

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/g8wrb.co.uk/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/g8wrb.co.uk/privkey.pem
This certificate expires on 2022-08-06.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Should should confirm which certs are now being managed by certbot, with:
certbot certificates

Thank you. For the most part that seems as expected, but I do have the following, which I don't need. I run certbot on one domain twice.

  Certificate Name: kirbymicrowave.co.uk-0001
    Serial Number: 4f9ca57781911b3edbfb72ee0da41a742e9
    Key Type: RSA
    Domains: kirbymicrowave.co.uk
    Expiry Date: 2022-08-06 08:08:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kirbymicrowave.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirbymicrowave.co.uk-0001/privkey.pem

root@foobar:/etc/apache2/sites-available#  certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bitcoinhelp.uk
    Serial Number: 4ce64d86b0c6c5f3804d4f50d1e9983c85a
    Key Type: RSA
    Domains: bitcoinhelp.uk www.bitcoinhelp.uk
    Expiry Date: 2022-08-06 06:34:20+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/bitcoinhelp.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bitcoinhelp.uk/privkey.pem
  Certificate Name: dhars.org.uk
    Serial Number: 488b2f046dd55c48f60933fea12e546f70a
    Key Type: RSA
    Domains: dhars.org.uk www.dhars.org.uk
    Expiry Date: 2022-08-06 06:35:56+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/dhars.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dhars.org.uk/privkey.pem
  Certificate Name: g8wrb.co.uk
    Serial Number: 4e69441ce7390799e8cfb9a3571031e71c2
    Key Type: RSA
    Domains: g8wrb.co.uk www.g8wrb.co.uk
    Expiry Date: 2022-08-06 06:34:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/g8wrb.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/g8wrb.co.uk/privkey.pem
  Certificate Name: kirbymicrowave.co.uk-0001
    Serial Number: 4f9ca57781911b3edbfb72ee0da41a742e9
    Key Type: RSA
    Domains: kirbymicrowave.co.uk
    Expiry Date: 2022-08-06 08:08:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kirbymicrowave.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirbymicrowave.co.uk-0001/privkey.pem
  Certificate Name: kirbymicrowave.co.uk
    Serial Number: 3cbf3f040bcd0df37504a8a33a83d4b2450
    Key Type: RSA
    Domains: kirbymicrowave.co.uk www.kirbymicrowave.co.uk
    Expiry Date: 2022-08-06 06:34:58+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kirbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirbymicrowave.co.uk/privkey.pem
  Certificate Name: kirkbymicrowave.com
    Serial Number: 3466d57f2add6a02da923d9d526bc35fca5
    Key Type: RSA
    Domains: kirkbymicrowave.com www.kirkbymicrowave.com
    Expiry Date: 2022-08-06 06:35:38+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/kirkbymicrowave.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kirkbymicrowave.com/privkey.pem
  Certificate Name: www.kirkbymicrowave.co.uk
    Serial Number: 48112f31bc4d1a17215c71d952b7c6654df
    Key Type: RSA
    Domains: www.kirkbymicrowave.co.uk kirkbymicrowave.co.uk
    Expiry Date: 2022-08-06 06:35:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.kirkbymicrowave.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.kirkbymicrowave.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Install the one you want to use (3cbf3f040bcd0df37504a8a33a83d4b2450 I think) and tell certbot to delete the other.

certbot [some subcommand I don't remember and you'll find in the documentation or `certbot help`]  \
  --cert-name "kirbymicrowave.co.uk-0001"

Make backups, before.

tar czf ~/certbot_backup_$(date -u +%F_%T).tgz /etc/letsencrypt

I just revoked that duplicate certificate. I thought afterwards that perhaps revoking it was not the best solution, but it stop certbot renewing it.

There's still something puzzling me. By not trying to get certbot to generate all the domains at once, the certificate looks perfect in the browser. There's none of this bitcoin rubbish any more. However, if I use

https://www.ssllabs.com/ssltest/analyze.html?d=kirkbymicrowave.co.uk

and expand the output to show the 2nd certificate, then I see this

Aternative names bitcoinhelp.uk www.bitcoinhelp.uk MISMATCH

in red. Is that a bug or a feature?

If my domains are arranged in alphabetical order, bitcoinhelp.uk is the first domain I own

I said delete, not revoke.

It's neither a bug nor a feature, it's just how TLS works when you have multiple websites on the same server.

I had not spotted your post saying delete, not revoke, before I had revoked the certificate with

# certbot revoke --cert-path /etc/letsencrypt/live/kirbymicrowave.co.uk-0001/fullchain.pem

It should work too.

Revoke means that you lost the private key and wish that certificate be disavowed. If some other certificate uses the same private key, they could get revoked as well.

If you just don't need it, don't use it. Delete is the easy way to tell certbot not to care.