@snowcat

You'll need to setup a WildCard DNS A entry for sub-domains to map to your primary domain. If you look at the guide, you'll see this:

server_name examplewp.com *.examplewp.com;

This tells NGINX to map all sub-domains to your main domain unless they actually resolve to another server block. This doesn't, however, account for DNS.

You'll need to add an A entry to your DNS zone file for the WildCard (i.e. *). That'd look like this:

A          *          DROPLET_IP

Where DROPLET_IP is your Droplets IPv4 IP. With those two things taken care of, you should be able to use anything.examplewp.com and it resolve to the main domain. If it happens to be mapped using WPMU, then WPMU should take over and map the correct WordPress site.

One other thing to note is that LetsEncrypt doesn't support WildCard domains, so you can't pass:

letsencrypt certonly -d examplewp.com -d *.examplewp.com

You have to pass resolvable domains and sub-domains, i.e.

letsencrypt certonly -d examplewp.com -d www.examplewp.com

This may be an issue since you're wanting to use sub-domain mapping as the only way (right now) to get a WildCard SSL Certificate is to buy one. So without a WildCard SSL Certificate, each site would be HTTP only (not HTTPS/SSL/HTTP2).

@snowcat

If you use sub-domain mapping and want SSL for each mapped installation, you'd need to purchase a WildCard SSL Certificate for your main domain and install it. LetsEncrypt won't work for WildCards.

Passing multiple domains to the LetsEncrypt script in this case, would not be the best option as this is something you're going to have to do over and over again for each and every sub-domain you add as a site. That means if you add two sub-domains today, you have to run it. If you add two more tomorrow, same scenario.