So wildcard is only for subdomains of a domain. The domain.com record is not covered by wildcard.
But yes the instructions probably sound like both *.domain.com and domain.com are in fact managed by Coudron, but all I can tell you that unless an app is using a domain, the certs will not be renewed. Maybe we can be smarter about this in the future, but to solve your problem this is what is required.
Note a redirect to an existing app will also work.