You must use a Wildcard SSL for your domain name so that all sub-domains are also protected with the same certificate.
For example, the WildCard SSL for *.domain.tld would also protect:
domain.tld
www.domain.tld
shop.domain.tld
mysubdomain.domain.tld
and many others.
If you're running a WP Multisite with Sub-Domains then you can utilize a Wildcard SSL Certificate using Cloudflare DNS API.
wo site update example.com -le=wildcard --dns=dns_cf
More Details about Configuring LetsEncrypt DNS API is available in the official WordOps Documentation.