Hello, i have issue with sharing certeficate with subdomains.

Using Debian 9, Nginx. Installed successfully on my www.domain.com and domain.com.

But, when i try to share this certeficate with subdomain like subdomain.domain.com, it shows ERROR

username@Debian:/etc/nginx/sites-available$ sudo certbot certonly -a webroot --webroot-path=/var/www/domain-d subdomain.domain.com --expand
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for subdomain.domain.com
Using the webroot path /var/www/domain/phppgadmin for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. subdomain.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/f3HvI4S970igQArAPRJvXlWyvpE_xTkSK9tU3BcG1rA: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: subdomain.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://subdomain.domain.com/.well-known/acme-challenge/f3HvI4S970igQArAPRJvXlWyvpE_xTkSK9tU3BcG1rA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have certeficate for www.domain.com + domain.com. But i need to use subdomain for PhPPgAdmin. I have also configured subdomain.domain.com in my 1&1.com account. It show that i own that subdomain. Certeficate renew command for domain.com works fine, when i try add -d domain.com it shows message to reissue cert Y/N. But when it comes subdomain, got ERROR.
My DNS settings for subdomain same as domain.com.
Also, configured DigitalOcean domain records like that:

Type    Hostname            Value                        TTL (seconds)  
CNAME   www.domain.com    is an alias of     domain.com.        43200 
AAAA    subdomain.domain.com    directs to     2a03:b0c0:2:d0::349e:1001    3600 
CNAME   *.subdomain.domain.com    is an alias of    subdomain.domain.com.    43200 
A   subdomain.domain.com    directs to    178.62.***.**    3600
A   domain.com  directs to   178.62.***.**    3600 
AAAA    domain.com   directs to   2a03:b0c0:2:d0::349e:1001   3600  
NS  domain.com      directs to     ns3.digitalocean.com.    1800 
NS  domain.com      directs to     ns1.digitalocean.com.     1800 
NS  domain.com      directs to     ns2.digitalocean.com.     1800

In addition, i want to tell that i was able to visit my subdomain.domain.com for a while and use PhPPgAdmin. But after indexing i got this ERROR

Your connection is not private

Attackers might be trying to steal your information from subdomain.domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

Automatically send some system information and page content to Google to help detect dangerous apps and sites. Privacy policy

ReloadHIDE ADVANCED
sybdomain.domain.com normally uses encryption to protect your information. When Google Chrome tried to connect to subdomain.domain.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be subdomain.domain.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit subdomain.domain.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Any firewalls disabled, not helped. If i ping my subdomain.domain.com it is fine with packages.

Nginx.conf

server {
         listen 443 ssl http2 default_server;
         listen [::]:443 ssl http2 default_server;

        root /var/www/domain/public;

        index index.php index.html index.htm index.nginx-debian.html;

        server_name domain.com;

        include snippets/ssl-domain.com.conf;
        include snippets/ssl-params.conf;
        location ~ /.well-known {
                allow all;
        }
         if ($scheme != "https") {
                return 301 https://$host$request_uri;
         } 

        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

     location ~ [^/]\.php(/|$) {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
                include fastcgi_params;
        }

        location ~ /\.ht {
                deny all;
        }
}

# PhpPgAdmin, redirect to phppgadmin for managing DB
server{
        server_name     subdomain.domain.com;
        root            /var/www/domain/phppgadmin;
        index index.php index.html index.html

        access_log      /var/log/phppgadmin/access.log;
        error_log       /var/log/phppgadmin/error.log;

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
               include fastcgi_params;
        }

        location / {
                allow   18*****
                deny    all;
        }
}

That is why i need to share my certeficate or issue new one for subdomain.domain.com.

Any ideas how to fix it?