Verify wildcard certificate covers the right subdomains. Free wildcard ssl certificate checker.
The Wildcard SSL Checker verifies that a wildcard certificate (e.g. *.example.com) is correctly deployed and covers the subdomains you expect. A wildcard cert matches one level of subdomains (e.g. api.example.com, www.example.com) but not the apex (example.com) unless it is also in the SANs, and not nested subdomains (e.g. a.b.example.com) unless you have a separate cert or a multi-level wildcard where supported. This tool typically connects to the apex and several subdomains, reports which certificate is served and what names it covers, and highlights mismatches or missing coverage. Use it after issuing or renewing a wildcard cert to confirm all intended hostnames are valid, and to troubleshoot browser errors on specific subdomains.
No. The apex is not covered by a single-level wildcard. Include example.com in SANs or use a separate cert.
*.example.com covers one level (e.g. b.example.com). For a.b.example.com you need *.b.example.com or a separate cert.
Most CAs support wildcards; Let's Encrypt requires DNS-01 challenge for wildcards.
That host might be pointing to a different server with a different cert, or the cert might not include that name.
Run the checker for each domain or use a multi-domain SSL checker that supports wildcard validation.