Let's Encrypt uses self-signed for a www-version after auto renewal

[TrafalgarLaw999]

I thought Let's Encrypt's auto update will only automatically renew certificates within 30 days prior to expiry date. But today, it did the auto renewal even I have two and a half months remaining.

I just did a manual renewal 2 weeks ago without any problem. But for today's renewal, one of my domain's www-version is having an SSL error. However, the non-www versions (domain.com) was renewed and accessible without any problem.

SSLLabs.com reports that www.domain.com has a certificate name mismatch error. It appears to not using Let's Encrypt's generated certificate, but rather uses a self-signed version. With Common Name being ns1.domain.com, and no www-version listed in "Subject Alt Names" section.

This is the entry of #httpd -S

port 443 namevhost www.domain.com (/usr/local/directadmin/data/users/user/httpd.conf:59
alias domain.com

Part of httpd.conf

<VirtualHost ip.ip.ip.ip:443 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
SSLCertificateKeyFile /usr/local/directadmin/data/users/user/domains/domain.com.key
ServerName domain.com
ServerAlias www.domain.com domain.com
ServerAdmin [email protected]
DocumentRoot /home/user/domains/domain.com/private_html
ScriptAlias /cgi-bin/ /home/user/domains/domain.com/public_html/cgi-bin/
UseCanonicalName OFF
</VirtualHost>

Content of file /usr/local/directadmin/data/users/user/domains/domain.com.san_config

[ req ]
default_bits = 4096
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = bogus

[ req_distinguished_name ]
CN = domain.com
emailAddress = [email protected]

[ req_attributes ]
[ SAN ]
subjectAltName=DNS:domain.com, DNS:ftp.domain.com, DNS:mail.domain.com, DNSop.domain.com, DNS:smtp.domain.com, DNS:www.domain.com

DA Control Panel: https://domain.com:2222/CMD_SSL?domain=domain.com

[selected] Paste a pre-generated certificate and Key
Let's Encrypt in use. Auto-renewal in 59 Days.
Certificate Hosts: domain.com
Certificate Expiry: Mar 19 22:34:43 2022 GMT
[checked] Force SSL with https redirect

What I tried to do, and luckily success, is that I updated domain.com.san_config here

[ req ]
default_bits = 4096
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = bogus

[ req_distinguished_name ]
CN = www.domain.com
emailAddress = [email protected]

[ req_attributes ]
[ SAN ]
subjectAltName=DNS:domain.com, DNS:ftp.domain.com, DNS:mail.domain.com, DNSop.domain.com, DNS:smtp.domain.com, DNS:www.domain.com

Then, restart httpd. Phew, it works for now.

However, I will still need to fix that self-signed certificate. Any advice? Where should I look into? Thanks!