I am facing a similar issue with version 3.12.4 and earlier. I am not using the new Octopus built in certificate store. We have a wildcard cert that is bound to ('*'/' '/'0.0.0.0') port 443 for multiple websites. When changing an existing website IP Address binding from ('*'/' '/'0.0.0.0') in the "Deploy IIS Website" step, the "Removing unused SSL certificate binding" action is removing the cert binding from all websites; taking those sites down.
Thank you for taking the time to send through that PR, like I mentioned on GitHub we're working on a solution for your situation and the other scenarios customers had issues with. This fix is currently in review and should be ready to merge in the next day or so.