perhaps you should use
certbot -d *.hepatica.site -d hepatica.site --manual --preferred-challenges dns certonly
So you need two dns txt entries with the same name, but different values.
Then you have a certificate that works with your main domain and every subdomain.
If you create only a certificate with *.hepatica.site, hepatica.site isn't secure.