DNS certificate is valid and installed on cloudfront distribution, but browser not recognizing

Based on your description, it does sound like your DNS settings could be at the heart of this issue. Here are some things to check:

1. Wildcard A Record: A wildcard A record can indeed cause problems as it will take precedence for any subdomains not explicitly defined in your DNS. If there is a wildcard A record pointing to the third party host's server, requests to your x.primarydomain.com may resolve to that server instead of your CloudFront distribution, which would then serve its own (possibly expired) certificate. You should check your DNS settings and make sure that there is an explicit A (or possibly CNAME) record pointing x.primarydomain.com to your CloudFront distribution.

2. DNS Propagation: Even after updating your DNS records, the changes might not be immediately visible everywhere due to DNS propagation delay. It can take up to 48 hours (or even more in some rare cases) for DNS changes to propagate fully throughout the internet. If you've already waited this long and are still experiencing issues, this is likely not the problem.

3. CloudFront Distribution Settings: Ensure that you have correctly configured your CloudFront distribution to use the custom SSL certificate. Verify that your CloudFront distribution is associated with the correct domain name (x.primarydomain.com) and that the new SSL certificate is assigned to the distribution.

4. Certificate Validation: Also, verify the details of the SSL certificate. Ensure that it is valid, issued for x.primarydomain.com, and trusted by the browser. You can use online tools like SSL Labs' SSL Server Test to diagnose issues with your SSL configuration.

If all of the above is in order, the problem may lie somewhere else. It's always recommended to work closely with your DNS provider and AWS support when diagnosing these kinds of issues.