So follow up thought. I think I know why this happened. I am still running the certbot command manually and getting the PEM files. Then I manually copy them to ....
Lol, now I’m embarrassed. I totally do still manually every 90 days issue the certbot command with DNS verification, manually go over to DNS and update txt records, then finally get a new set of chain,cert, and privkey pem files. I usually do this on my Windows desktop using WSL, then use WINSCP to move the files to two different Ubuntu/Apache web servers of mine. It’s sort of awful, but I’m not that familiar with the automated process.
For a long time I would copy the certs to the ssl directly with a name matching the day and time, rather than overwriting the old files. Then I would have to go into the default-ssl.conf and update the certificate name there. Bounce Apache service. One server is an ownCloud machine, the other is just a wordpress box.