> A server MAY consider a client authorized for a wildcard domain if it is authorized for the underlying domain name (without the “*” label).
Although this seems to be gone from https://ietf-wg-acme.github.io/acme/, which I think is the later version.