Indeed, using dns-01 method is not a good option in cases where you want to provide Let’s Encrypt support in widely distributed servers which have to run mostly autonomous.
It would be very simple to support http-01 based validation for requesting wildcards like *.aa.bb.cc from a specific server, xx.yy.zz, either separately or together with the server’s own certificate (i.e. where the certificate includes both xx.yy.zz and *.aa.bb.cc).
All it takes is that the owner of bb.cc domain creates a DNS TEXT record which looks something like this (note: it is actually “wildcard” rather than “*”):
“wildcard.aa.bb.cc” TEXT “email@example.com”
“wildcard.acme.aa.bb.cc” TEXT “xx.yy.zz”
or whatever will suit the ACME server best.
This designates that host xx.yy.zz is allowed to request certificate for “*.aa.bb.cc” via the ACME protocol (using whatever method is already supported by the ACME protocol).
I think this would work out-of-the-box with most of the existing clients using the http-01 method, as it is only the server which needs to perform the extra DNS check.
Could something like this be added to Boulder soon to let wildcard support benefit from the “autonomous server friendly” http-01 protocol ?