well, I configure my services te request their own wildcard certs from a caching proxy acme to letsencrypt. Easy peasy.