That’s a normal behaviour. “*.frog.mx” is only valid vor one level below “frog.mx”. So “aws.frog.mx”, “test.frog.mx”, “abcdef.frog.mx.” would be fine. But it’s not valid for anything below that, e.g. “jersey.aws.frog.mx”. You could get a certificate for “*.aws.frog.mx” though.
RFC RFC 6125: Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
2. If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com)