SSL is not valid for www.domain.com

Are you following the instructions at Set up Let’s Encrypt with multiple domains / redirects?

If you plug www.mysite.com in the tempate in the OP it generates this:

after_ssl:
   # tell letsencrypt what additional certs to get
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--keylength/
        to: "-d www.mysite.com --keylength"
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--fullchainpath/
        to: "-d www.mysite.com  --fullchainpath"
        global: true

So you’re doing it wrong.