You now have described the status quo in length. But you have not touched on why it is supposed to make sense. You have not provided attack vectors for the easier alternatives.
By uploading a file to tekmol.freewebhost.com,
you haven't proven that you control either
.freewebhost.com
Who said that putting a file on a subdomain should grant you a cert on the domain? Putting it on domain.com/.well-known/acme-challenge/ should.
They attempted to indicate wildcards there, but HN ate them. That should say "you haven't proven that you control either *.freewebhost.com or *.tekmol.freewebhost.com".
Now, I can definitely see there being a system where the owner of the root domain (eg, freewebhost.com) can set up something in their own .well-known directory that specifies that any subdomains can only declare certs for that specific subdomain, rather than being able to claim a wildcard, and then we can allow certs that sign wildcards in cases where such a limiter is not in place.
In any case, this would only solve the DNS auth hurdle, not the overall expiration hurdle.
