Yeah, that’s ultra annoying. If wildcards can’t be automated easily for everyone, then what’s the point? I’ve got a server sitting behind a firewall where the only verification option is DNS, which, in turn, requires using a VPN to access. I’ve been looking forward to wildcard support only to find that it only works with DNS auth, which doesn’t improve the existing situation one bit. Also, DNS records are subject to TTL and I have to wait for hours for our corporate DNS to propagate changes (meanwhile people get upset if I forgot to renew in time). There’s no API for DNS when VPN is part of the equation. This non-feature is ill-conceived.
All of this nonsense is why we need DNSSEC DANE TLSA right now. Almost no one’s DNS host has support for auto-renew and whenever you are talking about corporate networks, the situation is even worse. And securely distributing new private keys when regenerating a wildcart cert is a pain too, but a problem that would be far more manageable if DNS wasn’t the only available auth mechanism. The TXT record should specify an immutable web authority for renewal authorization. That way DNS doesn’t have to change every renewal and can point wherever in needs to point. If DNS is compromised, then that’s on the owner, not Let’s Encrypt. What was the point of registering an email address with Let’s Encrypt when using certbot if you won’t actually use it for its intended purpose (i.e. notifying the owner about certificate issuance issues)?
I don’t trust ANY public CA (including Let’s Encrypt). Public CAs are broken by design. As such, I care only about the lock icon working NOT actual security because SSL/TLS security as it stands is a joke. I’ll trust SSL/TLS when DANE TLSA finally gets implemented everywhere such that I can run my own private CA publicly and permanently get rid of all public CAs from my browser and OS trust store once and for all.