So if I understand correctly, you're using certbot to install the already existing certificate into a new virtualhost? I'm guessing here, but probably because certbot initially also created the HTTPS virtualhost in the first place? My suggestions:
- Just create the HTTPS virtualhost in nginx yourself instead of certbot. Shouldn't be too hard, right? Just create the HTTPS virtualhost with the SSL options pointing to the existing certificate and reload nginx.
- There's nothing to remove from the wildcard certificate? The certificate contains just the hostname
*.domain.tld, any subdomain added/present in cPanel doesn't magically show up in the certificate. Or maybe I don't understand you entirely?