Caesar[m]capjamesg[d]: why not a wildcard cert? I use subdomains (and also more than one root domain but that's another story) and never had an issue with managing certs with LetsEncrypt. I do use reverse proxying to local sockets/ports (with Nginx) but from the subdomains.
