diff --git a/playbooks/roles/letsencrypt-request-certs/README.rst b/playbooks/roles/letsencrypt-request-certs/README.rst
index 92695ef949..ff69a5044b 100644
--- a/playbooks/roles/letsencrypt-request-certs/README.rst
+++ b/playbooks/roles/letsencrypt-request-certs/README.rst
@@ -39,7 +39,9 @@ provision process.
    certificate to create (i.e. a host can create multiple separate
    certificates).  Each key should have a list of hostnames valid for
    that certificate.  The certificate will be named for the *first*
-   entry.
+   entry.  Naming the cert for the service (rather than the hostname)
+   will simplify references to the file (for example in Apache
+   VirtualHost configs), so listing it first is preferred.
 
    For example:
 
@@ -47,13 +49,13 @@ provision process.
 
      letsencrypt_certs:
        hostname-main-cert:
-         - hostname01.opendev.org
          - hostname.opendev.org
+         - hostname01.opendev.org
        hostname-secondary-cert:
          - foo.opendev.org
 
    will ultimately result in two certificates being provisioned on the
-   host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
+   host in ``/etc/letsencrypt-certs/hostname.opendev.org`` and
    ``/etc/letsencrypt-certs/foo.opendev.org``.
 
    Note the creation role ``letsencrypt-create-certs`` will call a