For https://abralaboca.net/ you might double-check that this is not being applied:
letsencrypt_ca: "https://acme-staging.api.letsencrypt.org"
The ssl docs mention that
Note that browsers will display an error/warning that they don’t recognize the Certificate Authority so this should only be used for testing purposes.
If you want to use that fake cert authority to avoid rate limits on staging, be sure to only define letsencrypt_ca with that staging cert authority in a group_vars/staging file.
If you want a real cert for production, be sure you are not defining letsencrypt_ca with that staging cert authority anywhere in group_vars/all or group_vars/production etc.
As for www.stage.lolafonseca.com, I haven’t looked closely but it may be an instance of the as-yet-unresolved issue of www + subdomains not redirecting, as reported in response to roots/trellis#570. If that is relevant, there is more discussion here Problems with .com.au domains?