Yes, and: fix bugs so the setup doesn’t break. I’m constantly babysitting LetsEncrypt. It’s always failing in some stupid way, and all it can go is Email me with: “Ive been silently failing for the last couple of months and now your certificate is going to expire if you don’t drop everything and comb through my logs now LOL!”

This time the problem was LE all of a sudden decided to start storing my certificate in a directory called mydomain.com-0001 instead of mydomain.com, breaking the rest of the setup that relies on things being in the right directory. Automation is only useful when the software behaves predictably and consistently.

Comforting to know I'm not the only one who constantly has random problems with Let's Encrypt. You're on point about the silently failing bit too.

LetsEncrypt issues for 3 months by default and then tries to renew after 2 months.

So if renewal fails you should have ~30 days to fix it.

But this does work best if your tools try the 2-month renewal. (I'm looking at you, wpengine!)

Which client are you using? Certbot?

> The organisational challenge is to get the message through to someone who understands it and will act on it.

Yes, and to keep a very infrequently used channel working and up-to-date.

This is why letsencrypt very sensibly creates short-lived certificates, meaning that the channel is not infrequently used.

The channel only needs to be used when the automated process breaks.

Oh right - yeah, that sucks. Rarely used processes often break.

Hence efforts like https://tools.ietf.org/html/rfc8701 - designed to make sure extensibility options don't get messed up.