AWS Certificate Manager manages this all for you via DNS validation.

Granted, you're locked into their ecosystem, can't export PK, etc. so it's FAR from a perfect solution here but I've actually been pretty impressed with the product from a "I need to run my personal website and don't want to have to care about certificates" perspective. Granted, you're paying for the cert, just not directly.

I agree with your statement completely though.