I’m afraid I don’t understand what you’re saying. You want to get wildcard certs for three different domains, none of which is the domain that you’re serving with your nethserver. You then want to deploy those certs to the servers that do host those domains. Is that right?
Edit: After re-reading your post, I think it isn’t right–it rather sounds like you want a single wildcard cert for all three domains, and you want that cert to be active on your Nethserver installation. If that’s correct, the link I gave above will give the basic instructions, you’d just specify your domains differently. It’d look like this:
acme.sh --issue --dns dns_cf -d domain1.tld -d *.domain1.tld \
-d domain2.tld -d *.domain2.tld \
-d domain3.tld -d *.domain3.tld \
--cert-file /etc/pki/tls/certs/cert.pem \
--ca-file /etc/pki/tls/certs/chain.pem \
--key-file /etc/pki/tls/private/privkey.pem \
--reloadcmd "/sbin/e-smith/signal-event certificate-update"
You’d need to include both domain.tld and *.domain.tld on the cert because *.domain.tld doesn’t include domain.tld.
If your DNS is with someone other than Cloudflare, you’d need to see if they have a compatible API, and then modify the instructions accordingly.