Related topic: Best Practices Using a Perl Client Module?
(sorry for the length of this)
We have been using Let’s Encrypt for 1 year now, and for the most part, everything is good.
Quick refresh: We maintain a large content management system (FreeToastHost) that produces free websites for Toastmasters public speaking clubs and districts (districts contain and support clubs) via forms and a website template to insert info from the forms.
We have created, housed on our server, and renewed the LE SSL certs for the 800+ user-registered domains that point to our server. We have a cron job that handles the renewals on a regular cycle and I have been able to basically forget about it for a while now which makes me happy.
With the release of ACME v2, though, I would like to take it to the next level. We also have two top-level domains, toastmastersclubs.org and toastmastersdistricts.org that we control the registrations for and routinely create & delete subdomains for (each subdomain maps to a club or district).
I would like to put each of the two on a LE wildcard cert. I understand that I can only use DNS challenges for LE issued wildcard certs, correct? Does this wildcard cert scenario sound like a good use case for using CertBot? (I have not used it yet.)
Lastly, I am a bit confused about what the real difference is between issuing a cert and renewing it. I think I have been basically issuing new certs for our user registered domains when their renewal is due. Does this really matter? (any downsides?)