Let's Encrypt has announced the official support of the Wildcard certificate FINALLY.

Apply

Run command on your VPS:

~/certbot-auto certonly \
-d dallas.lu \
-d *.ngrok.dallas.lu \
-d *.dallas.lu \
-d other.com \
-d *.other.com \
--manual \
--preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory

Use --cert-name to set cert name, otherwise the domain name after the first '-d' param will be used as the cert name.

IP logged notice

The IP of the request machine will be logged, but it will not be public now. If worry about the important one of IPs on the VPS,you can modify the config files in /etc/sysconfig/network-scripts and restart the network service to change your IP temporarily. Type 'Y' to continue.

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

DNS txt records

Add a txt record.

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.dallas.lu with the following value:

QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

TIPS: if you want root.com and *.root.com verified in the same cert, you should add the params for each domain, for example: '-d dallas.lu -d *.dallas.lu'. AND, you need add multiple txt records. Use 'nslookup' to verify:

nslookup
> set type=txt
> _acme-challenge.dallas.lu
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
_acme-challenge.dallas.lu text = "I6Tys5RebMhWaBxN1e4fBaBj2OF7jUPl92tdDtfKjao"
_acme-challenge.dallas.lu text = "QQxHqbXK2aWM8qRWpAyenXo2QotSejV_ERnnc6MUEqU"

Cert

After verification:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dallas.lu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dallas.lu/privkey.pem
Your cert will expire on 2018-06-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

We don't talk about configuring SSL certs now. If failed to verify some domains, just run the command again. The value of txt records will not change after verified.