well, this is embarrassing. I hadn't revisited my Apache configuration for years, and it turns out I had old SSLCertificateChainFile directives in my configs pointing to an obsolete cert. I was thinking that directive had to do with client certs.
Well, anyway, I pointed that to my letsencrypt cert fullchain.pem, and now all my websites check out at DigiCert.
last updated 2020-04-14 18:42:55. served from tektonic.jcomeau.com