Hi Patrick (@Pbcaseyjdcpa) and welcome to the LE community forum
crt.sh | remote.caseylawgroup.com
A certificate can be used by any service that resides within an IP that can be resolved by any of the names within the certs SAN field.
In the simplest case, where there is only one name and that name only points to one single IP, we still have the case of multiple services within said IP to use any available cert for its' name.
So... the same system can be using one cert for HTTP(S), another cert for SMTP, and another cert for streaming services. Yes, they could all be using the same cert - but there is no guarantee of that nor any requirement for that to happen.
So.... it is quite possible that both statements are true. It just depends which service you check for cert expiry.
That said (and I realize it was a mouthful), you will need to check each service individually to ensure they have all been "renewed" (using a non-expired cert).
And, if not, then you must dig into their configs to update the certificate being used to one that hasn't expired OR renew the expired one [a system can have more than one valid cert for that single name at a time].