I think it will be necessary to make something with validation different way.
Lets imagine my situation which do very very very often:
I have new customer which currently uses third party shared hosting - with absolutely no access to command line, they could provide access only to FTP, single snapshot of mysql DB and DNS, but...!
DNS change is only possible when whole site is transferred to my own hosting and working BEFORE DNS change!!!
(validation with changed host files). In this point SSL / HTTPS, SMTPS, IMAPS ...etc have to be working.
I'm always using CloudFlare for all my customers and you can make any change to it's DNS AFTER you have made DNS change. Some of my customers have websites which was hacked, or are under attack so its very very important to NOT release NEW IP address even for single second, but mask them in CloudFlare network. There are more conditions - like correct SPF record, mailserver and webserver musn't share same public IP. Apache2 should NOT be stopped since more of my customers running monitoring solutions and if I stop it, they are asking for discounts.
1) I need generate/renew certificate before DNS change
2) I need solution without webserver stopping
3) It's VERY IMPORTANT to have wildcard certificate because it's necessary to cooperation with ANY CDN, not just CloudFlare, the same is valid for LoadBalancers (I couldn't imagine generate / renew different 80 certificates and upload them manually to each LB node since each node is on different site)
Please, think about it, because in other way there is very low added value, for now it's better for me just pay for commercial certificate since my time is more expensive then price for certificate.
Lets do better work.