[eridius]

There's a long StackExchange answer about this: https://security.stackexchange.com/a/158164

But it boils down to there being no practical way for Let's Encrypt to automatically validate that a wildcard certificate is safe to issue.

[poizan42]

It's a long answer that completely fails to address the possibility of validating ownership of the domain itself by e.g. adding a TXT record, which the ACME protocol already supports.

[eridius]

The general point is that being able to control the parent domain doesn't necessarily mean you control all possible subdomains as well. You need to prove ownership, not just control. Here's the relevant bit from the SO answer:

> If I have ownership of the parent domain example.com then I can freely create and control anything as a subdomain, at any level I choose. Note that here "ownership" is distinct from "control", which is what is validated by the ACME protocol.