Thanks for the suggestion, but was not the issue. Have checked the LE install/configuration symlinks.....and all appear correct from my understanding.
lead me to think about other possible issues and have found what the problem was discovered in this thread.
" /etc/httpd/conf.d/ssl.conf" contained a default Virtual Host for 443 connections, within which it used a localhost certificate."
This was issuing the server local cert as the "Third cert".
Once I had removed/commented this default virtual server, it allowed LE to correctly issue for base domain and subdomain.
As a recap, There where two answers to my request
- Answer provided by @_az at top of thread.
- Answer found in this thread Certbot issuing self-signed certificate
Our configuration is is a newly installed Centos 7 using apache 2.4.6 .
Old Apache and other versions, require to setup copy of a production server to allow for testing to upgrade.
The answer is always obvious once you know....It's the journey getting there that makes it enjoyable.
Thanks once again to everyone's suggestions and input.