I have gone and got a certificate for *.contoso.com and contoso.com . I have installed it against the default website on windows server IIS.
I am now browsing (using the same server) to https://dc1.internal.contoso.com/RDWeb/Pages/en-US/login.aspx and are still getting a message before the site loads that it is insecure.
If I look at the details of this message in the browser it says cerificate is not valid. The issuer is LetsEncrypt R3, and it is issued to *.contoso.com.
What am I doing wrong?
I assume the error you are seeing is something like Invalid Name.
Wildcard certificates only cover the first level of subdomain, so you actually need either a specific cert for dc1.internal.contoso.com or a wildcard for *.internal.contoso.com
Yes that was exactly the issue - thank you.
Using DNS validation - will the renewal still be automatic? (My DNS is with Office 365 - is that what is also called Azure DNS?)
Regarding renewals, the app repeats the exact steps it used to get your initial certificate so if you have all that configured then you can expect the same result for your renewal.
If you had to configure Azure DNS you would know because you would have had to specify a bunch of configuration (application ids, tenants ids, API secret etc). If you have just use manual DNS to get the initial certificate then no, it won’t be automatic until you configure an automated provider. I imagine Microsoft does using Azure DNS for Office 365, but I’m not sure how that product is exposed to you for using via an API. We don’t have an Office 365 specific DNS provider.