When you start with a configuration like this
LETSENCRYPT_HOST=www.example.com
and you later change it to
LETSENCRYPT_HOST=example.com,www.example.com
you'll end up with the certificate for www.example.com not being updated any more.

As far as I understand, the reason is that in letsencrypt_service, create_link(), the links from the subdomains to the base domain cert only get set up, if they do not yet exist. But they do already exist in this scenario, and the links for www.example.com will always point to the cert that has been created before the change to a multi-domain cert. That cert is going to expire at some point.

Running this within the docker-letsencrypt-nginx-proxy-companion container resolved the problem:

rm -r /etc/nginx/certs/www.example.com* /app/update_certs 

I'm not sure if it would make sense to change the behaviour of create_link() without having other side effects.