WAP certificate renewal can be handled by any node. It does not need to be handled by the primary. When a secondary received the request, it forwards it to the primary. Secondaries and the primary sync every 5 minutes. Which means that 5 minutes later, the new certificate can be used on the secondary. And because the renewal takes place before the current certificate expires, you should not see any interruptions.
Obviously, if you see that's not working as described above, it means something else is not working in this process. Maybe some communication error between the primary and secondaries. Can you make sure the last sync took place without error? Maybe some TLS errors with the secondary? Some network traces should clear that out. If your load balancer is doing SSL inspection, it will also break this mechanism.
Also, you can use this tool to check the configuration of your farm.