Setup legit Let’s Encrypt as wildcard locally to test services at *example.domain.com, then put them into production on mainsite wildcard *.domain.com on VPS or similar.

Just to be clear, why wouldn’t simply provisioning a certificate for each subdomain under the wildcard work?

Like, if you have a test site test.example.domain.com, you could have nginx (using acme) create a certificate for that. And then when you move to test.domain.com, nginx would do the same thing.

Now, technically letsencrypt does have a rate limit, but it’s a fairly generous rate limit:

Up to 50 certificates can be issued per registered domain (or IPv4 address, or IPv6 /64 range) every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to issue new certificates for the same registered domain refills at a rate of 1 certificate every 202 minutes.

I would do my testing this way, and I didn’t hit any limits, although I was careful to keep certificates and reuse them, and to not spam.

If you need more domains with SSL than that rate limit would provide, then it would make sense to investigate Caddy with porkbun, since DNS-01 challenges are the only way to get wildcard certificates, which apply to a whole wildcard.

Second comment, but if you need/want Caddy we can help that too. It looks like the documentation link in the github page you linked is dead, and the correct one is: caddyserver.com/docs/json/apps/tls/…/acme/

I found that from this page: caddy.community/t/…/8148