I've talked to the Let's Encrypt people on several occasions about this. I think they will support wildcards eventually. The details are surprisingly hairy, though. In the meantime, we'll keep providing free certs under Sandcats.
I too wish we didn't have the wildcard requirement. Unfortunately, same-origin policy being what it is, there's really no way for us to get away from the wildcard requirement without losing most of our security gains.
You've probably seen this already but for others wondering about the details:
And a sample of security problems that our security model (of which the wildcard is an essential part, since it enables fine-grained isolation) has helped protect against:
Sorry, that won't work. Sandstorm needs a new hostname every time you open a document (that's a lost of hostnames), and to provide any CSRF mitigation it needs to be a secret (where anything you list on the certificate immediately becomes public knowledge).
I too wish we didn't have the wildcard requirement. Unfortunately, same-origin policy being what it is, there's really no way for us to get away from the wildcard requirement without losing most of our security gains.
You've probably seen this already but for others wondering about the details:
https://docs.sandstorm.io/en/latest/administering/wildcard/
And a sample of security problems that our security model (of which the wildcard is an essential part, since it enables fine-grained isolation) has helped protect against:
https://docs.sandstorm.io/en/latest/using/security-non-event...
Thanks for using Sandstorm!