Certain use cases preclude DNS dynamic updates to a zone for technical, policy or other reasons. This post explains a simple way to enable automatic DNS-based authorization for Let’s Encrypt certificates – and perhaps for other vendors’ – by way of delegating the authorization challenge to a trusted DNS zone.
Implementing TLSA or HPKP for certificate pinning while using automated certificate authorities such as Let’s Encrypt can be tricky. These notes explain how I do it on my servers, using GnuTLS to do the heavylifting.
Managing multiple sets of certificates with Let’s Encrypt and Certbot does not have to be complicated. This post contains some of my notes about managing servers with Nginx, Sendmail and Dovecot along with Let’s Encrypt certificates.