URL Handling

Why is certbot not issuing a certificate?

When executing the sudo certbot --nginx command, the output is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sub1.domain.com
2: sub2.domain.com
3: sub3.domain.com
4: sub4.domain.com
5: sub5.domain.com
6: sub6.domain.com
7: sub7.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 7
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub7.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sub7.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub7.domain.com/.well-known/acme-challenge/suPcnp-SmqQ5gJxkRCk_FiIpkYFzBkwmxgMBQfGRF0s [127.0.0.1]: "<html>\r\n<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 B"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sub7.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://sub7.domain.com/.well-known/acme-challenge/suPcnp-SmqQ5gJxkRCk_FiIpkYFzBkwmxgMBQfGRF0s
   [127.0.0.1]: "<html>\r\n<head><title>400 The plain HTTP request
   was sent to HTTPS port</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>400 B"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Although before that on a similar nginx config

server {
  listen			80;
  server_name		sub7.domain.com;
  return			301 https://$server_name$request_uri;
}

server {
  listen 			443 ssl;
  server_name		sub7.domain.com;
  root                         /path/to/root/folder;
  index			index.php;
  
  client_max_body_size	512m;

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  location = /favicon.ico { 
    log_not_found off; 
    access_log off; 
  }

  location /app/ {
    		root		        /path/to/root/folder;
    		index		index.html;
  	}

  location = /robots.txt { 
    log_not_found off; 
    access_log off; 
    allow all; 
  }

  location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
    expires max;
    log_not_found off;
  }

  location ~ \.php$ {
    include		snippets/fastcgi-php.conf;
    fastcgi_pass	unix:/run/php/php7.3-fpm.sock;
  }	
  
  large_client_header_buffers 4 32k;
}

everything worked out without problems.
There are corresponding A-records for the subdomain, the site opens via https, and via http it returns "400 bad request: The plain HTTP request was sent to HTTPS port".
Wget sub7.domain.com returns

http://sub7.domain.com/
Resolving sub7.domain.com (sub7.domain.com)... 127.0.0.1
Connecting to sub7.domain.com (sub7.domain.com)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://sub7.domain.com/ [following]
--2020-01-16 10:07:57--  https://sub7.domain.com/
Connecting to sub7.domain.com (sub7.domain.com)|127.0.0.1|:443... connected.
The certificate's owner does not match hostname ‘sub7.domain.com’