Sorry to be vague.
http://example.co - works fine and as expected.
http://blah.example.co - returns curl: (60) SSL certificate problem: Invalid certificate chain
This is actually picking up the SSL cert for the default site on the server. So the server_name is picking up example.co but *.example.co seems to be ignored.
Interesting, the wildcard SSL Key is the most basic RapidSSL Wildcard Certificate, so perhaps going down the Subject Alternate Name route might be worthwhile or worth talking to RapidSSL Support about because we also need *.staging.example.co to work for our staging environment too which might kill two birds with one stone.