No alternatvie certificate subject name matches "ucs-sso.domain.tld"

this rerror happens when joining a new UCS-system.
I actually do have a working let’s encrypt-ssl on the ucs-sso.domain.tld but only on 1/2 UCS-VMs.

when I remove the DNS-entry internally it will just result in an error that it cannot find the host behind ucs-sso…

as I’m currently not usign the SSO I might just remove it. but how can I do this so it won’t make a new system unjoinable?