Why is apache ignoring my certbot cert and sending the domain request to a different cert?

I believe the two issues I'm having are related, but don't know where to begin. The first issue is that when a specific domain that resolves to my server is requested, its conf file in sites-enabled is ignored, as is 000-default.conf, instead the first conf next in alphabetical order is used and that site appears, but with the domain I requested in the browser bar. This only happens with this one domain, which leads to the second problem. I have a multi-domain cert (CA) and all the domains in it show up as expected. I have an installed certbot cert for this other domain. When I use openssl with the domain name of this other domain, it shows the contents of the multi-domain cert. When I use an SSL checker I get the same results, with it noting that the domain name I entered is not included in the cert. I notice that when I do apachectl -S prior to listing the *:443 and *:80 files it lists a virtual host with the server's IP address as the named server, and the first file it lists is not the 000-default (which IS listed as the first for *:80 and *:443) but the next one alphabetically. THe problematic domain is halgrossman.com. **halgrossman.com.conf** ServerName halgrossman.com ServerAlias www.halgrossman.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html/drupal/halgrossman/web Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined **halgrossman.com-le-ssl.conf** ServerName halgrossman.com ServerAlias www.halgrossman.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html/drupal/halgrossman/web Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/halgrossman.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/halgrossman.com/privkey.pem **Output from openssl** openssl s_client -connect halgrossman.com:443 -servername halgrossman.com CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = theaccidentalcoder.com verify return:1 --- Certificate chain 0 s:CN = theaccidentalcoder.com i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 2 00:00:00 2024 GMT; NotAfter: Dec 21 23:59:59 2024 GMT 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT theaccidentalcoder.com is the primary domain on a multi domain CA cert, which halgrossman.com is **not** part of. **Output from SSL Checker** halgrossman.com resolves to 45.56.118.187 Server Type: Apache/2.4.52 (Ubuntu) The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed). The certificate was issued by Sectigo. The certificate will expire in 84 days. None of the common names in the certificate match the name that was entered (halgrossman.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors. Common name: theaccidentalcoder.com SANs: theaccidentalcoder.com, ascaatl.org, guildbuildersinc.com, musictohealby.com, souknook.com, thetouristlife.com Valid from September 1, 2024 to December 21, 2024 **Output from apache2ctl -S** 45.56.118.187:443 is a NameVirtualHost default server guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:37) port 443 namevhost guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:37) port 443 namevhost musictohealby.com (/etc/apache2/sites-enabled/musictohealby.com.conf:37) port 443 namevhost theaccidentalcoder.com (/etc/apache2/sites-enabled/theaccidentalcoder.com.conf:23) port 443 namevhost thetouristlife.com (/etc/apache2/sites-enabled/thetouristlife.com.conf:21) *:443 halgrossman.com (/etc/apache2/sites-enabled/halgrossman.com-le-ssl.conf:2) *:80 is a NameVirtualHost default server halgrossman.com (/etc/apache2/sites-enabled/00-default.conf:1) port 80 namevhost halgrossman.com (/etc/apache2/sites-enabled/00-default.conf:1) alias www.halgrossman.com port 80 namevhost default (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost guildbuildersinc.com (/etc/apache2/sites-enabled/guildbuildersinc.com.conf:1) alias www.guildbuildersinc.com port 80 namevhost halgrossman.com (/etc/apache2/sites-enabled/halgrossman.com.conf:1) alias www.halgrossman.com port 80 namevhost musictohealby.com (/etc/apache2/sites-enabled/musictohealby.com.conf:1) alias www.musictohealby.com port 80 namevhost theaccidentalcoder.com (/etc/apache2/sites-enabled/theaccidentalcoder.com.conf:1) alias www.theaccidentalcoder.com port 80 namevhost thetouristlife.com (/etc/apache2/sites-enabled/thetouristlife.com.conf:1) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Note that the domain list appearing first is listed for the IP, and does not include 000-default. The one it ** does ** list first, guildbuildersinc.com, is the first, alphabetically, after 000-default, and the site that appears when requesting https://halgrossman.com .