On Dec 29, 2016, at 4:47 PM, Michael Grimm trashcan@ellael.org wrote:
I only had had the fear that mailing might break while being abroad, because manual intervention might have been missed during such a period in time.
A reasonable concern, a large fraction of LE users botch the cert renewal interaction with TLSA one or more times before they eventually figure out how to do it right.
If you:
* Configure LE cert renewal to NOT replace your key, just issue a new certificate for the *same* key as before:
https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
* Publish a "3 1 1" TLSA record for the stable public key.
Then LE certificate renewal require no DNS changes, and can proceed in an automated manner via their tools.
From time to time, you might decide that your key has been lying around on your server too long, and may now be compromised. Then you create a new key-pair and do LE renewal with that key instead. You then can either go with the process outlined in:
http://tools.ietf.org/html/rfc7671#section-8.1
Or, if you trust LE to not issue certificates for your domain to strangers (the verification process for DV certificates is not especially strong), you can use the "3 1 1 + 2 1 1" approach to simplify the deployment process.