Use --cert-name with the primary domain, so that letsencrypt will name the certificate the same as what the rest of our config is expecting.
Use --expand, because otherwise, if we change the list of domains, certbot will stop and prompt as to whether it should add the domains to the certificate.
Also add the x permission to the ssl dir, which didn't seem to break anything but likely only because all this runs as root.
--cert-namewith the primary domain, so that letsencrypt will name the certificate the same as what the rest of our config is expecting.--expand, because otherwise, if we change the list of domains, certbot will stop and prompt as to whether it should add the domains to the certificate.xpermission to the ssl dir, which didn't seem to break anything but likely only because all this runs as root.