You shouldn't beat yourself up too much. TLS is HARD and poorly documented, and implementations vary significantly between applications and vendors (and are very dumbly designed). TLS is what you get when you let someone implement technology with specific domain knowledge (encryption) but no UX abilities or a comprehensive understanding of how their solution will be used.
I had the same horrified realization a few years ago when someone explained Certificate Transparency[1] to me.
ah, my mistake then. i use a wildcard dns-record but separate letsencrypt-certs for every subdomain. so to truly be stealthy i'd have to use a wildcard dns-record AND a wildcard ssl-cert.
sounds like i got myself a project for this weekend, implement a wildcard cert for my rev-proxy at home :)
EDIT: i guess the logs would still show the old certs, so my subdomains would still be exposed. huh. at least future subdomains would be hidden.
EDIT2: are there more ways for subdomains to get exposed, other than through DNS or SSL-Certs?
i use NPM at home. tested caddy a bit but i really liked NPMs convenience of having a Web-UI. allows me to do stuff remotely on my phone without having to dive into conf files.
anyways, what i liked about caddy was how easily it handles SSL-certs, for sure makes it easier to use! :) gonna have to look into how i can give a wildcard-cert to my rev-proxy.
always thought that using *.domain.net for home-use was cool, because that way random people don't know what kinds of subdomains i use.
turns out they can find it out by just checking all the certs for my domain. well. the more you know.