I enabled debug and can see a log:
"http.stdlib","msg":"http: TLS handshake error from 192.168.128.13:65391: no certificate available for 'vault'"
Maybe I’m misunderstanding something, but why would it be showing that, or any, certificate? Shouldn’t it just be redirecting the request to the FQDN and presenting the certificate assigned to that FQDN block? My middle example, vault.OTHER.DOMAIN.UK, doesn’t have a cert assigned, manually or by LE, and it redirects as expected to my other FQDN and shows the correct certificate.
I found the example someone else had where they got it working, that I’ve tried to replicate: ERR_SSL_PROTOCOL_ERROR when using search domain to complete domain name I’m not sure if this person is missing something from their config snippet that works because it looks like they’ve duplicated the snippet above they said doesn’t work. I don’t think the {$DOMAIN} part being different should matter because I believe that’s just a pre-assigned environment variable?