Check this post:
It is a common scenario, when someone controls HTTP server for example.com and www.example.com, but should not be allowed to obtain certificate valid for mail.example.com, vpn.example.com or any other subdomain.
1 Like