If you have a tenant on a site and add it like www.domain.com and request a SSL certificate only for the root domain "domain.com" (without www) the SSL cert getting generated on the server for certbot is named "domain.com.conf".

If you now revoke the SSL certificate in order to generate a new one to add in "www.domain.com" as well you can't, because the request will fail with a log message saying: "There is already a valid cert for this domain - use the "--expand"... in order to expand the cert...".

If you now remove the tenant (in order to remove the cert from the server to re-add it) to start over the actual cert isn't removed since the cert should be named "www.domain.com.conf" so the tenant removal isn't finding the correct file.

Only way around this is to re-add the tenant as "domain.com" and after it's been added remove it so the corresponding file "domain.com.conf" is cleared. Then re-add the tenant again as "www.domain.com" and request new SSL certs.

No big issue...