(Note: this is not a tutorial. Do nag me at if you want one)
I own the domain vylion.com. Cloudflare's free plan let's me generate a wildcard SSL certificate for *.vylion.com, but not for any nested subdomains (so no *.pds.vylion.com). Which is reasonable for a free plan, but still annoyed me, since I wanted to host my own PDS. (Yeah, I know caddy does TLS on demand, but I already have some Nginx Proxy Manager instances doing reverse proxy for other services, and redirecting from NPM to caddy had proven even more frustrating. Also, I wanted to try other PDS implementations.)
And then I learned of acme-dns:
So I've set up an instance of this on my VPS, and now I can get nested wildcard certificates to my heart's content. Neat!
Careful if you try to do the same: exposing port 53 (necessary for DNS resolution, as part of the acme-challenge) will probably flag your machine as abusable for DDoS attacks and get you a notice from the closest federal cybersecurity office to your VPS. It can be argued to be a false positive, since it isn't really a true DNS server (it only responds to acme-challenges and refuses anything else, and does not do recursive DNS queries to resolve "normal" DNS petitions), but I'd still recommend you to: 1) set a rate limit in the firewall for port 53; and 2) do not expose the HTTP API publicly. Since you already have access to your VPS, just do the request from the VPS itself (e. g. if you do it like me and host it as a docker container, ssh into the VPS then curl the container.) For NPM (which I also host as a docker container), I have set it up inside the same docker network as acme-dns, so I can just use the acme-dns container name as the hostname for the HTTP API in NPM's configuration.