Last night (actually, very early this morning) mechanicjay generated and installed new Let's Encrypt certs for our servers.
I made a quick check and everything seems to be in place. The old certs were due to expire right about now, so if you do have any issues, please pop onto IRC (preferred) or reply here and let us know!
Out of interest, why not just run certbot and have it do that for you automatically? I'm probably missing something and asking a dumb question but if I have the question, then others likely do to, so I'll play the dumb one.
Explanation copied from IRC. SoyCow5342 is the AC who asked the question above.
<requerdanos> a partial answer is that certbot is essentially intended to simplify the process of installing certificates for websites, whereas soylent uses them for other servers as well (mail, irc)<janrinok> SoyCow5342, there have been problems in the past where the automatic update did not do the update correctly and left us having to try to recover using the linode software alone. However, we now think that that problem might have been solved so we are running the automatic scripts 'manually' to check that everything behaves.<requerdanos> another piece is that if something were to go wrong mid-cert-update, an automatic process might take more troubleshooting (=more downtime) than a manual one where you know where you were<janrinok> as it is, all the essential boxes have updated correctly but, as requerdanos has pointed out, some of the others still need some work.<janrinok> That is why MartyB was asking for any information if you see things are not behaving as you would expect them to.
... asking for a friend (he's so dumb, couldn't dumb it down enough).
No such API on BIND? What version are you running that doesn't support TSIG? That is the standard way to do this, after all. Just generate a TSIG key and restrict its update policy to TXT records for _acme-challenge.soylentnews.org.
"Because Let's Encrypt requires a DNS TXT record for domain validation in order to pull wildcard certs."
We had this issue with namecheap. It was reason enough for me to dump them, especially after they claimed that eff's certificates were not as secure -- I trust eff.org FAR MORE than most of the paid certificates.
Now we use dreamhost. I don't know what other hosting companies support certbot, but I do know it is a p.i.t.a. to switch.