I don't see an api subdomain on crt.sh nor does that subdomain resolve. I do however see an hr subdomain which has a different IP address (ending in 10 instead of 12) and has LiteSpeed listening.
I also see an Entrust wildcard (pre)certificate which could also be used I guess, so not sure why OP requires these LE certs to begin with.