Update:
I’m still having this issue. I was hoping removing all Let’s Encrypt data like in this thread and re-provisioning would fix it, but it didn’t.
I created a new instance if the Staging server, provisioned, deployed and even migrated the DB from Production to Staging, and it does not have the same problem. Though, the Staging server has a .xyz domain, and the Production has .com.au – so it could still be related to international domains.
(But then that said, I’ve deployed another .com.au website using Trellis/Let’s Encrypt and it does not have this issue … confusing!)