This loose allowance is going away. Current BRs allow using 3.2.2.4.18 and 3.2.2.4.19 (Agreed upon change to Website) for wildcards until December 2021. After that:
> For Certificates issued on or after 2021‐12‐01, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names.
Let's Encrypt are just ahead of the curve here, this was always unsafe because it means if your corporate site https://big-corp.example/ is on some bulk host that bulk host can get (even though presumably they wouldn't) wildcard certificates that will also match mail.big-corp.example and db2.big-corp.example and auth.big-corp.example and vpn.big-corp.example ...
> For Certificates issued on or after 2021‐12‐01, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names.
Let's Encrypt are just ahead of the curve here, this was always unsafe because it means if your corporate site https://big-corp.example/ is on some bulk host that bulk host can get (even though presumably they wouldn't) wildcard certificates that will also match mail.big-corp.example and db2.big-corp.example and auth.big-corp.example and vpn.big-corp.example ...