certbot version 1.12
Debian 10 - updated
Apache
Yes, SSH access
Apache 2.4.38-3+deb10u4 amd64
I'm trying to get SSL setup on a new server, and the plethora of options is getting foggy, since we don't exactly fit into the standard scenarios. Any guidance much appreciated!
Note: Any details below that provoke a "why on this planet would you do that" would generally be answered with "it's legacy, and I haven't gotten that far down the to-do list". 
We host our own DNS. The PRIMARY domain [mountdesales.net] is hosted off-campus, and uses a wildcard cert from GoDaddy. We host several SUBdomains here on campus [for example, tech.mountdesales.net]. There are several others - basically anything OTHER than www.mountdesales.net. Some already exist on this machine, others will be moved over when the time is right.
- Why not just use the GoDaddy cert on our local machine? It's a pain. Can't be autorenewed, so once a year I have to go muck around the server. It's also $400, and we're a school. Eventually I hope to use LetsEncrypt for the primary site, but that can't happen this week.... or next.
There's the background.
What I've done so far [assuming I remember correctly]:
- Installed pip3.
- Using pip3, installed certbot and certbot-dns-standalone.
- Had to upgrade cryptography [pip3 install -U cryptography].
So:
- Do I try for a wildcard cert on this server, given we already have a wildcard cert for the main domain?
- or do I just install individual subdomain certs for each subdomain?
- What's the best/easiest procedure to make this happen?
- Any headache-avoidance strategies you can suggest?
Thanks!
Hopefully one day I can return the favor