There's should be no need for panicking. Your scripts should be renewing well in advance, and it's unlikely that let's. encrypt will be down for days or weeks

The whole point of a CA is trust. How do I know a self-signed cert isn't a MITM attack?

Acquire their certificate from a trusted source.

Its turtles all the way down. You need an anchor of trust. A trust root. This is the public PKI system trusted root store.

Even if you obtain the self-signed cert out of band (and explicitly trust it), how do you authenticate that channel?

Self-signed certs are not scalable or particularly useful for internet users. Please don't recommend this.

Like a public certificate authority?

Maybe we could design a protocol for securing the socket layer, maybe even automate the key exchange so that it's basically transparent to the user, and then why not do the same thing for the people that need certs, let them ask for it whenever they want and provide them a nice tool to automatically renew it. /s

? I could understand if you had to renew manually/upload a new cert every 90 days but it does it all automatically for you doesn't it

Not really. But with tools like CertBot and ACME Terraform Providers, (or just a periodic cronjob), it's not too difficult to keep your certs up to date. (just don't spam their prod provisioning servers).

Kaidon is correct

If your 'lets encrypt' cert is not renewing on a chron job or something you are doing it wrong.

Every guide I've seen involves setting this up.