The command would indeed get a wildcard certificate without the root domain. If you want to do this and repeat the whole process every 2-3 months, you can choose to use the below command:
./certbot-auto certonly --manual --preferred-challenges=dns --email <my email> --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --d *.goldenclaw.me -d goldenclaw.me
(What I did is to add your root domain to the last)
Certbot also have Digital Ocean API support so you could use that (along with the correct information from your digital ocean account) to automatically pass the validation and obtain certificate.
https://certbot-dns-digitalocean.readthedocs.io/en/stable/
Thank you