Sophos XG230 wont use correct certificate for Captive Portal (V18.0.3)

Hey there Sophos Community,

i am working with AD-SSO and STAS authentication with our XG230 firewall from sophos. We havent use web authentication for about 3 years and now we want to start using this function. Everything seems to work correctly and we have no problems for about 3 weeks until now, some users getting a error-message while browsing different websites.

As i investigated the problem, i saw that this only happens when users try to surf to social media websites which are configured to "warn". When you press "continue" you get forwarded to the captive portal, which isnt working -> certificate not valid, HSTS wont allow you to continue.

I first checked the certificate and was wondering... that CA and certificate is swapped? See here:

Its actually the certificate for our webproxy, here the "correct" one:

This was the first thing i was wondering. The next was, that actually, it should use the same certificate as User Portal and WebAdmin, as in this option under "Administration" -> "Admin Settings":

So this is our Wildcard-certificate which is used for WebAdmin and UserPortal and is functioning without any problems:

in this process i rebooted the sophos firewall multiple times, checked multiple other configurations. The biggest question i got, is that the "wrong/invalid" certificate gets the info, issued from "sophos-fw" which is a hostname of the firewall, which was changed months ago!

Could it be, that there is a bug, which prevents the certificate for the captive portal to be correctly generated or something? I was expecting the wildcard certificate to be used, because we have given a own redirect hostname "sophos.domain.tld" (which matches the certificate):

Would be nice if anybody could help me out here, i have no more ideas what to check to get that working. (as an workaround we have created exceptions for that 2-5 Users which get the error).

Thank you in advance!