Like I said. There are uses for wildcard certs I'm just arguing against the fact they're used en masse. People should be perfectly aware of the ramifications and sandbox appropriately. (*.tennant.sandstorm.io or whatever.)
Everyone keeps saying SaaS is the reason for the use of wildcard certs and I would absolutely argue the point that multi-tennancies weakest tenet is the fact that if you get compromised the scale can be broad. Why intentionally weaken that system? LE can handle thousands of domain creations a minute, they've been very forthcoming with lifting limits for people on domain creation.
The downside is your server sites which need a little overhead for vhost creation but that could be automated with less than a day of ops work.
I believe a while ago the sandstorm people spoke to LE who advised that it wasn't a good idea.
I'll stand by the assertion that vhosts are probably still better off with a wildcard cert if it's the difference between a single server using a single cert vs a single server holding thousands of certs. In a node compromise it's the same either way. If different servers are serving different subdomains then sure, subdomain certs are the better way to go.
Everyone keeps saying SaaS is the reason for the use of wildcard certs and I would absolutely argue the point that multi-tennancies weakest tenet is the fact that if you get compromised the scale can be broad. Why intentionally weaken that system? LE can handle thousands of domain creations a minute, they've been very forthcoming with lifting limits for people on domain creation.
The downside is your server sites which need a little overhead for vhost creation but that could be automated with less than a day of ops work.