Ok after several hours I seem to have fixed most of this except for a cert for the mail subdomain, which I use for my outbound SMTP. It remains to be seen if this is an issue. Including how I fixed it below for people who come later.
When I updated to the latest Webmin today the update did not run smoothly and it lost my config. I started out by restoring my settings from a backup, which Webmin is scheduled to FTP to me weekly.
I solved the vhost wrong cert problem via nginx -t after a lot of searching on stackexchange. I had duplicate server declarations in my /etc/nginx/sites-available server blocks. Upon deleting those duplicate server declarations the sites are now up and running and successfully responding with the proper ssl certs. That settles things for domains 1 and 3-6.
I then tried to install a Letsencrypt cert via Virtualmin for only domain2 and www.domain2 which succeeded, but did not actually work for webmin itself since it excluded the virtualmin subdomain created by virtualmin.
So I then tried the answer found here although untangling that thread was awkward. I created an alias subdomain.domain2 but it still failed to pull the Lets Encrypt Cert, apparently because when I created the alias I unticked the “create DNS zone” and “create nginx website” boxes thinking I wouldn’t need them.
I deleted the alias and recreated it with those boxes ticked, which got further but then dumped on trying to verify www.subdomain.domain2. So I went back to domain2 > SSL Certificate and set it to pull only for domain2, www.domain2 and subdomain.domain2 rather than those three plus www.subdomain.domain2.
I then went back to the SSL Certificate page and activated it for services, which also completed successfully. Now when visiting Virtualmin I no longer have the “https” crossed out, but my browser still tells me the site is not secure. Better than nothing, I guess?
I sent a test email and it went through but I’ve never managed to get encryption working right on the mailserver so I go through port 25 unsecured. Getting the cert working on mail.domain2 will remain a low priority issue. My mailserver is a mess so I’ve been looking to outsource it for some time.
EDIT: Switched my SMTP server address from mail.vhostdomain.com to domain2.com for all email addresses from which I send in Gmail and it now logs in properly for encrypting via SSL or TLS. Will probably tinker with it over the next few days since there’s a lot of spam weirdness in the postfix queue, but that’s another issue altogether.