All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.
According to the RFC 6125, only a single wildcard is allowed in the most left fragment.
Valid:
*.sub.domain.tld
*.domain.tld
Invalid:
sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*
A fragment, or also called "label", is a closed component, e.g.: *.com
(2 labels) does not match label.label.com
(3 labels) - this has already been defined in RFC 2818.
Before 2011 in RFC 2818 the setting was not fully clear:
Specifications for existing application technologies are not clear
or consistent about the allowable location of the wildcard
character.
This has changed with RFC 6125 from 2011 (6.4.3):
The client SHOULD NOT attempt to match a presented identifier in
which the wildcard character comprises a label other than the
left-most label (e.g., do not match bar.*.example.net).