Hi Bionick,
Not really what I’d expect, but worth a try: is everyone using the same client? Could it be that it caches the certificate?
I read your previous thread about renewing the certificate. I do not have a muc.maindomain.tld record in my hosts file, but my certificates renew without a problem. Maybe that thing is related to the connection running over Wireguard?
Anyway, when I try to open muc.maindomain.tld in my browser, it returns an error; the certificate that is shown is self signed. I think it has to do with SSO catching the URL (I get the same warning when connecting to a non-existent sub-domain).
In short: I have no idea how to help you further 