I migrated as many services I maintain to Let’s Encrypt as soon as it was humanly possible. The entire toolchain and ease of use is enough for me to encourage its adoption; the fact they’re free is a happy bonus.

(I donate, so I suppose they’re technically not free for me. But the point stands!)

The only sites I hadn’t done yet were ones that needed wildcard certificates, though Let’s Encrypt implemented support in January this year. So I thought I’d try them out, and also they’re long-since implemented DNS verification:

# /opt/bin/certbot-auto                                 \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual                                                \
--preferred-challenges dns                              \
-d *.example.com *.snrub-domain.example.com

Then waited and:

certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN]    

Whoops, I always forget that each domain needs its own -d. Let’s try again.

Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:  
Before continuing, verify the record is deployed.  
Press Enter to Continue

Done and done. Then hit Return:

Waiting for verification...
Cleaning up challenges  
- Congratulations! Your certificate and chain have been saved at:
  Your key file has been saved at:
  Your cert will expire on [DATE]. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew *all* of your certificates, run
  "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

In the words of the person who first said it: too easy!