When adding an alias domain it's not possible to issue SSL. Doing so will break SSL for the primary domain (giving it the self-issued 'www.example.com' certificate), and for the alias domain.
I can see in the logs that this is because the SSL issuing routine is trying to request from LE a certificate for: primarydomain.com www.primarydomain.com alias.primarydomain.com www.alias.primarydomain.com
It is this last one that cuases the problem. When adding an alias domain, the user is not also adding a "www.alias." version of it. Why would they?
Currently the work around I've found is to run the SSL request manually, on the command line, omitting the "www.alias..." version of the domain name. I suggest it should be omitted by CP to. But even better would be the next suggestion...
Would it not be better to simply request a wildcard SSL certificate in the first instance of requesting SSL on the primary domain?
**ADDITIONAL FEATURE SUGGESTION**
Also, I would suggest adding indicators into Cyberpanel to actually show more information about what SSL certificates are active, and which domains and websites have them active. Currently one must already know, or simply guess.