I recall something related commented on this forum (in reference to multiple domains, first domain in list, etc.)
I know @danb35 has a better grasp about this.
User Guide — Certbot 2.6.0 documentation
-d DOMAIN, --domains DOMAIN, --domain DOMAIN
Domain names to apply. For multiple domains you can
use multiple -d flags or enter a comma separated list
of domains as a parameter. The first domain provided
will be the subject CN of the certificate, and all
domains will be Subject Alternative Names on the
certificate. The first domain will also be used in
some software user interfaces and as the file paths
for the certificate and related material unless
otherwise specified or you already have a certificate
with the same name. In the case of a name collision it
will append a number like 0001 to the file path name.
Here’s some information from Let’s Encrypt Forums:
Use
--cert-name mydomain.comand Certbot will overwrite the existing entry instead of creating a new one.Without
--cert-name, the new item is created whenever you request a cert for a set of names that has overlap with a previous set but isn’t a strict superset.For example, if you first request
example.comandwww.example.com, and later requestexample.comandexample.netwithoutwww.example.com, the new certificate would likely be calledexample.com-0001, while theexample.comcert coveringwww.example.comwould continue to exist. That is, removing any name from the old certificate’s list will cause the generation of an-0001cert if you don’t specify--cert-name.The intended way to prevent this is indeed @_az’s recommendation of specifying
--cert-name(this is the only way to remove a name from an existing cert’s coverage with Certbot).