Just to clarify that a wild card covers ONLY that level.
so, even with a wildcard, you still need 2 certs likely: example.com (top level) and *.example.com (everything else).
Let’s encrypt is awesome, but their wildcard support is not GA yet, so you are likely best off (if you can manage it) so get individual certs from them for each domain for the time being. That being said, since you’re hosting with dreamhost, you may not be able to install their client which updates the certs since their certs are only valid for 90 days.
There is another “magic” solution through: cloudflare. Use cloudflare to manage your DNS and use their free proxy service and they will provide a free cert for your top level and second layer. they will also provide you with self signed certs to install on your server that don’t expire for 20 years. they manage all certs, etc.
the only downside with cloudflare certs is in the off chance that you want to turn off cloudflare’s proxy (which you shouldn’t need to), you will have self signed certs which will give a warning to users. we use cloudflare across 40 or so properties without issue.