I don't know what the problem is, but the workaround is the following:
ee site update domain.com --le=off
find . -name 'domain.com*' | xargs rm -rfv
ee site update domain.com --le
You first disable SSL for the site, remove all configuration files regarding such domain, then recreate the SSL site from scratch.
Try the commands above in a test environment first: they work for me, but you know I can't take any responsibility over your server.
[EDIT] It might be necessary to clear all chaches in order to publish the new cert:
ee clean --all.