I had this problem and assumed that the SSL system would need www.sub.example.com in the DNS to fully function. Can you confirm that when sub.example.com exists in the DNS, but www.sub.example.com doesn’t, then the certificate will be issued and renewed for the single sub-domain?
Yes, that’s correct - as long as there’s one valid DNS entry pointing to the server, then sympl-ssl should be fine.
If the configuration changes (i.e. www.subdomain.example.com goes away and is replaced with subdomain.example.com or vice versa) you may need to run sympl-ssl --verbose --force subdomain.example.com to trigger it to get a new certificate, as the check for a valid cert are based on expiry and having any valid names on it.
The first time you run sympl-ssl --verbose sub.example.org it will try to generate a certificate which includes www.sub.example.org, however the end result is a certificate only for sub.example.org (assuming www.sub.example.org either doesn’t exist in DNS or doesn’t point to Sympl).