My server teijenkins.hcmc.uvic.ca is also proxied as jenkins2.tei-c.org, and it needs a cert for that too. I had assumed that I would need to generate a second certificate, but actually it's easy to add a new domain to the existing cert. The VirtualHost has this:
ServerName teijenkins.hcmc.uvic.ca ServerAlias *jenkins*.tei-c.org
and all I had to do was this:
sudo certbot --apache -d teijenkins.hcmc.uvic.ca -d jenkins2.tei-c.org
and it regenerated the existing cert with the other domain added to it. This cert runs till December; it's not clear from the feedback whether it will be renewed automatically, or whether I'll have to run certbot manually to get that to happen.