@basil @francislavoie using crt.sh I was able to see that in the past my pfsense firewall with the acme plugin was able to successfully request a certificate for *.internal.mydomain.com, whereas caddy was not able to. I have ensured that the API token permissions are the same. Is it possible maybe there is a timing issue because LE is tried first, and ZeroSSL is tried second (as shown in the logs). Maybe if caddy tried ZeroSSL first and then secondly LE then it would obtain the certificate from LE?
The *.internal.mydomain.com would not be a multi level wildcard certificate so I don’t think LE should have a problem with issuance.
The only thing I have made before I experienced this behavior is to upgrade to caddy 2.4.0-beta, this behavior could have existed in the past but I only tested it after upgrading so I am not sure.