You need to request the wildcard AND root on the same cert, and validate challenges for both.
certbot certonly --manual -d “*.tentacom.net” -d tentacom.net --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
beware that some DNS systems will cache the first TXT record for the life of the TTL, so I suggest waiting a few minutes after setting the second challenge before continuing.