There’s one omission in the article, which has caused me to waste several hours:

The command line should include the base domain itself, because *.example.com does not cover example.com.

If you navigate to example.com in Chrome, you’ll get this error:

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is example.com; its security certificate is from *.example.com.

So the correct command line needs to include -d "*.example.com" -d example.com.