That DNSViz has a line of "NSEC proving non-existence of eleo.komma.dev/A", which makes me think that DNSSEC simultaneously thinks eleo. doesn't exist even though it also knows *. does exist? Wildcard DNS along with a non-wildcard certificate seems like a weird use case, anyhow, though I don't know why it wouldn't work. Is there some reason you're going about what you're doing this way, and maybe there's a better one that your DNS server will like better? I really need to dive deep and learn the intricacies of how DNSSEC works at some point, so I'm not sure I'm being all that helpful, but it sounds like there's something in your setup which is misconfigured (or your DNS server has some kind of bug when dealing with wildcard records?).
Depending on what kind of interface your DNS provider gives you, can you maybe disable DNSSEC and re-enable it, or have them re-sign your zone, or something like that? Or maybe add an explicit eleo. record, even if you're going to have a wildcard result for some other names?
I need this setup due to automatic development site creation. So i removed the DNSSEC signing on DNS sevrer and on the domainname. Let's see tomorrow if renewal works again. Will update this post tomorrow!