SSLMate – Buy SSL certs from the command line

[nailer]

> What popular is changes rapidly, sometimes overnight.

That's correct. CAs also check for TLDs in unusual places (and unicode hacks, etc) in the requested SANs (Subject Alt Names, practically server names) during verification.