So I took a chance and (after saving copies) deleted /shared/ssl/forum.* and /shared/ssl/ssl* and rebuilt again, and that seems to have resolved it.
So it looks like it is picking up /shared/ssl/ssl.crt if an old one of them is lying around, rather than using the ones it is meant to be using.