Usually this has to do with whether or not a cPanel instance of the hosting provider makes an internal exception/"pointer" for each "functional" (i.e. internal) subdomain name. Traditionally I've only acquired certificates covering these three domain names for each of my own domains (and some "extra" subdomain names when hosting multiple domain names on one cPanel, which is slightly more complex):
domain.com
mail.domain.com
www.domain.com
I've had mixed results covering the whole lot of internal subdomain names due to the inconsistency over time with how cPanel handles the HTTP-01 challenges used be Let's Encrypt to verify domain control.
If you're hosting multiple domain names on one cPanel, I highly recommend following what I've written here: