What's the problem ?

Actually, subfinder use a simple GET request to get subdomain from crt.sh. This technique is simple but it can miss lot of subomain.

Do you have an idea for a solution?

Solution: use the progresql database of crt.sh (open to everyone). Script example :

#!/bin/sh

query="SELECT ci.NAME_VALUE NAME_VALUE FROM certificate_identity ci WHERE reverse(lower(ci.NAME_VALUE)) LIKE reverse(lower('%.$1'));"
(echo $1; echo $query | \
    psql -t -h crt.sh -p 5432 -U guest certwatch | \
    sed -e 's:^ *::g' -e 's:^*\.::g' -e '/^$/d' | \
    sed -e 's:*.::g';) | sort -u

How can we reproduce the issue?

subfinder output:

PSQL output