cbj4074
commented
6 years ago Actually, my initial assumption may be false.
Apparently, wildcard certificates are not trivial to maintain because they require authentication via the DNS-01 challenge type, which means that in order to fully-automate their renewal, it's necessary to be able to update the relevant DNS records programatically.
More info in the Wildcard Support announcement:
https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Additionally, there are risks associated with configuration automated TXT record updates at the DNS provider, which are detailed in one of the replies to this how-to thread:
https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250/4
I suppose we'll need to meditate on this a bit before taking action, but either way, the renewal process, from our end, needs to be made more or less bulletproof.
Currently, the various domains use individual TLS certificates, which are cumbersome to renew (only because Let's Encrypt's automated renewal process is not without points of failure).
Overall, maintaining a single wildcard certificate will require less work and carry a lower risk of failure.