Wildcard certs only cover a single level of subdomain. With *.mostr.pub I can get com.mostr.pub, but I would have to acquire a separate *.com.mostr.pub. There are over 1500 TLDs and growing, and that doesn't even cover fedi servers on subdomains like social.example.com.

I still think it's worth doing, but the only practical way is to encode the domain into a single subdomain, eg replacing dots with hypens. But I would need to be careful to handle punycode correctly and prevent spoofing.