I get why this is done this way, but it’s frustrating. I’m a new user and was stymied by the inbound HTTPs verification requirement and the inability to whitelist source IPs. So I moved on to DNS-based verification and the requirement that it be done on a per-hostname rather than per-domain basis is a challenge as well.
I’ll probably plan on running certbot on a bastion host that has the ability to update route53 records rather than running it on the less-trusted endpoints where the certs will actually be used, but that creates its own challenges.
I’m trying to think of a way this could be solved, but ultimately if you’re trying to run certbot on 10 different hosts, you can’t really expect to use a text record for just the 2nd-level domain name, because every client would step on every other client at renewal time.