Yes - can someone shed some light on how someone would (a) compromise a subdmomain and (b) get a cert issued? This seems like you would need to be internal to the org, not the 3rd party exploit the article is trying to push?

If you are able to host a file on the domain at a specific location, then you can use Let's Encrypt for instance.

Certbot uses ones ability to present a resource (aka acme-challenge) on the domain for issuing certs (either via http or dns txt record).

More info: https://certbot.eff.org/docs/using.html#changing-a-certifica...

Yes, but how would you host a file on the sub domain?

Presumably the ability to serve HTTP on ports 80 and 443 would be sufficient.