[cyphar]

They now support wildcards, but in order to verify you are authorised to get a wildcard certificate you need to be able to pass the DNS challenge. Unfortunately there simply isn't another universal, trust-less (and automatable) way of verifying that someone owns a domain -- other than DNS.

However, because the DNS check doesn't require writing to the webroot, you could run this on any server you like and then distribute the certificate to your edge nodes (meaning your edge nodes don't need to have access to write to your DNS). Some clients even have scripting hooks which could make this significantly easier.

(I assumed the "store my cloudflare API keys on my web host" aspect was your main concern with this method -- not necessarily who wrote the client because there are plenty of other clients.)

[pas]

Hm, doesn't Caddy support wildcards without DNS auth? It seems that they work around this by generating a few random subdomains and verify those.

[aroch]

From the Caddy release announcement that supports wildcards[1]:

"This release introduces support for wildcard certificates, a new offering from Let's Encrypt. Getting a wildcard certificate requires enabling the DNS challenge. Fortunately, that is extremely simple with Caddy, and it works with over 20 different providers!"

1: https://caddyserver.com/blog/caddy-0_10_12-released

[cyphar]

Caddy requires configuring their DNS provider as well[1]. LetsEncrypt (and ACMEv2) only allow you to get a wildcard if you use the dns-01 challenge.

[1]: https://caddyserver.com/docs/automatic-https#wildcards