Although wildcard certificates aren't possible, you can specify multiple domains (up to 100 in total), including subdomains of the same "main" domain, so you'll end up with one certificate for all of them. Just add multiple
-d switches to the command line of the Let's Encrypt client. It doesn't matter if you use the webroot, manual or whatever plugin As a matter of fact.. I was under the impression that the fully automated Apache of nginx plugin would automatically detect every domain in your server's configuration.. If for some reason an automated plugin isn't working, you can always use the webroot (or manual) plugin.
letsencrypt-auto certonly --webroot --webroot-path /var/www/vhosts/example.com/htdocs/ -d example.com -d www.example.com --webroot-path /var/www/vhosts/mail.example.com/htdocs/ -d mail.example.com --webroot-path /var/www/vhosts/funkysubdomain.example.com/htdocs/ -d funkysubdomain.example.com --webroot-path /var/www/vhosts/totallydifferentdomain.tld/htdocs/ -d totallydifferentdomain.tld -d www.totallydifferentdomain.tld
As said, the above syntax will generate one certificate with all (sub)domains in the "Subject Alternative Names" section of the certificate. So if a person would surf to example.com, it can read the other (sub)domains in the certificate.
Oh and you can go many "levels" "deep".. I've generated certificates for sub3.sub2.sub1.domain.tld. So I don't know if that's what you meant with "2lvl"? Shouldn't be a problem anyway..