Wildcard SSL certificate for *.domain.com will be valid for sub.domain.com but not sub.sub.domain.com
This is done in accordance with RFC 2818:
https://tools.ietf.org/html/rfc2818#section -3.1
https://en.wikipedia.org/wiki/Wildcard_certificate
Use Multi-Domain (SAN) SSL:
https://www.digicert.com/multi-domain-ssl/
You can see how it works here:
https://www .sslshopper.com/ssl-checker.html#hostna...
You can also request a duplicate of an existing Wildcard certificate with alternative names.
https://www.digicert.com/ssl-support/wildcard-san-...

Maybe there are certificates in nature, albeit much more expensive, but which act at least two levels deep?
That is, we buy one certificate for *.school.ru and protect all subdomains of all levels at once :-)

There are certificates that are much less expensive , which act on a specific domain (or subdomains), are easily and automatically issued / updated and, if properly configured, do not require almost any attention from a living person at all. And all these attempts to issue a Certificate of Omnipotence - IMHO, are rather sad from the point of view. security (many places of potential key compromise), cost optimization (we actually pay for air, if there is an alternative that is technically not inferior) and in 2018 they do not look very good.

Get your CA - and do what you want. Plus it's free. Minus - requires brains, knowledge of what you are doing and installing a root certificate for each client.
IMHO, if you have money to buy school.ru - then probably there will be an admin who understands certificates. Although, of course, this is none of my business :)
You can, of course, try to add all the second levels to the SAN, but I have never done this, because at the corporate level, your CA is immeasurably simpler.