The ability of CF ACM certificates to cover *.domain.com wildcard is not the same as the CF DNS supporting proxied wildcard *.domain.com DNS records. CF free, pro, biz plan DNS doesn’t support wildcard *.domain.com DNS proxied records as per https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-DoesCloudflaresupportwildcardDNSentries. Only CF Enterprise plan’s support DNS wildcard proxied DNS entries.
Does Cloudflare support wildcard DNS entries?
Cloudflare supports the wildcard ‘*’ record for DNS management in all customer plans. Enterprise customers get full proxy support for wildcard records.
Free, Pro and Business plans
Cloudflare does not proxy wildcard records; therefore, wildcard subdomains are served directly without any Cloudflare performance, security, or apps. As a result, Wildcard domains get no cloud (orange or grey) in the Cloudflare DNS app. If you are adding a
* CNAME or A Record, you need to make sure the record is grey clouded in order for the record to be created.
To get Cloudflare protection on a wildcard subdomain (for example: www), you need to define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNSapp. In this example, you would add “www” as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare’s proxy is enabled.
Cloudflare Enterprise customers can proxy wildcard records. To learn more about the Enterprise plan, contact us.
Wildcards are only valid in the left-most subdomain label. For example, it’s not possible to add sub.*.example.com, but it’s possible to add *.sub.example.com.
So you can issue a ACM wildcard SSL certificate, but your DNS hostname entries need to be specifically entered i.e. sub1.domain.com and sub2.domain.com. Then CF will serve both with the ACM wildcard SSL certificate.
If you need to automate it, you can at user subdomain creation time, issue a call to CF API to add the DNS zone record https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record