That was one of the hard things to figure out how to do in a simple way on mataroa. Just using Let's Encrypt directly was the first iteration. Now mataroa is using a combination of:
- Let's Encrypt with a wildcard certificate for mataroa.blog and all *.mataroa.blog domains
- Caddy's automated certificates for all user custom domains
You can see a few more details about this setup in the server playbook doc [1] and the Caddyfile [2]