Update letsencrypt role docs to suggest a specific order

In reviews on https://review.opendev.org/819923 we discovered we
are inconsistent in how we create certs.  Suggest a specific course
of action and record the reasoning.

Change-Id: I974a1717a74e759ca8805dcb707efc7fe29ba53f

playbooks/roles/letsencrypt-request-certs/README.rst

@@ -39,7 +39,9 @@ provision process.
    certificate to create (i.e. a host can create multiple separate
    certificates).  Each key should have a list of hostnames valid for
    that certificate.  The certificate will be named for the *first*
-   entry.
+   entry.  Naming the cert for the service (rather than the hostname)
+   will simplify references to the file (for example in Apache
+   VirtualHost configs), so listing it first is preferred.
 
    For example:
 
@@ -47,13 +49,13 @@ provision process.
 
      letsencrypt_certs:
        hostname-main-cert:
-         - hostname01.opendev.org
          - hostname.opendev.org
+         - hostname01.opendev.org
        hostname-secondary-cert:
          - foo.opendev.org
 
    will ultimately result in two certificates being provisioned on the
-   host in ``/etc/letsencrypt-certs/hostname01.opendev.org`` and
+   host in ``/etc/letsencrypt-certs/hostname.opendev.org`` and
    ``/etc/letsencrypt-certs/foo.opendev.org``.
 
    Note the creation role ``letsencrypt-create-certs`` will call a