We just updated/created new certificates, uploaded them in the TLS Keystore and updated the corresponding references (Apigee Edge). Previously running virtual hosts (sub1.domain.com, sub2.domain.com) using existing references are working fine. The updated certificates validate fine with openssl and chrome on the virtual hosts domain . 
The certificate is a wildcard certificate from let's encrypt, we uploaded the fullchain PEM and the private key.
Now we want to create a new virtual host for another subdomain (sub3.domain.com), but we receive the following error:

curl 'https://apigee.com/organizations/<my_org>/environments/test/virtualhosts' \
  -H 'Accept: application/json' \
  --data-raw '{"hostAliases":["sub3.domain.com"],"name":"my_vhost","port":"443","sSLInfo":{"enabled":"true","keyAlias":"domain.com","keyStore":"ref://domain.com","ignoreValidationErrors":false},"useBuiltInFreeTrialCert":false}' \


<< response status code 400
<< response body
{
  "code" : "messaging.config.beans.VirtualHostCACertValidationError",
  "message" : "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be trusted by java trust anchors or CAs",
  "contexts" : [ ]
}

 Thanks for any help resolving this issue!