I came to the conclusion that using the "versioned" certificates in the apache config snippets isn't a bug after all.
If the Apache config is pointing at the incorrect certificate, i.e. the configuration is out of date, then it will be regenerated to point at the new certificate and then Apache is reloaded, which means that we've a neat way to deal with certificates changing. Also it removes a bit of a race condition if apache were to restart between the symlinks for the certificate and key being put into
If the config is pointed at the
current symlink, then the configuration would always be correct, whilst checking to see if Apache is using the correct certificate for a domain is possible, the action to take if the certificate is somehow incorrect is not necessarily clear, or easy to describe. There are a lot of corner cases.
I think for the moment I'll leave this as-is. This will work for people who have not edited their apache templates, but it will not work for people who have, which is an issue, and a really knobbly one to solve.