I tried splitting the same blog across multiple domains and giving them different SSL certificates, but the setup turned out to be awkward.
Using Synology's reverse proxy, I mapped several ports and ran into conflicts. I still haven't figured out exactly why. For now, the practical solution is much simpler: keep a single apex domain, use one certificate for it, and turn off HSTS.
I enabled HTTP/2 as well. It seems a bit faster.
The SSL certificate for Bitwarden is already configured, and I handled the certificates through Tencent Cloud:
https://console.cloud.tencent.com/ssl
Cloudflare can also be used for certificate-related setup. In the dashboard, go into the domain and adjust the DNS settings:
https://dash.cloudflare.com/
For domains that had been set up with a tunnel before, Tencent requires the CNAME record and its value for verification. After that, you just wait for validation to complete. Revoking an SSL certificate is slow though — roughly 24 hours.
Issuing a new certificate is much faster, usually only a few minutes.
I also tried Certbot, but it failed. There are logs, but I was too lazy to dig into them. If I end up needing more certificates later, I'll revisit it.
As for domains, Tencent charges 2 RMB more than Alibaba Cloud for .xyz. On Tencent, it's 8 RMB per year. A six-character .xyz is still the cheapest domain option I've found right now.
Tencent also has a quota difference for SSL certificates: 30 certificates for domains registered with Tencent itself, and 20 for domains from other registrars. That was enough reason for me to register a six-character .xyz on Tencent Cloud.
I also almost grabbed a nice six-character domain on Alibaba Cloud. I thought I had successfully registered it, but later realized I got the order wrong. So that one was a complete miss.
