> Okay, be skeptical. I didn't want to void our support contract over finding out.

Really? Your support contract would be voided if you automated certificate renewal? If what you're saying is true, the problem isn't with short renewal times, it's with your absurd support contract. Automatic renewal is the industry standard at this point. If anything, your support contract should be voided if an error occurs because you failed to automate this. I suppose it's possible that your support contract is that absurd, but given it sounds like you didn't even check, it seems a lot more likely that you don't know how to automate it and refuse to learn.

You don't get to critique Let's Encrypt, a system built with automatic renewal as a fundamental component, if you refuse to use the very simple to use tools[1] they provide for automatic renewal. Maybe it's the support contract's fault, maybe it's your fault, but it's definitely not LetsEncrypt's fault that you're stuck in 2010 through incompetence or bad contract negotiation. You could spend literally 5 minutes per server and never have this problem again.

[1] https://certbot.eff.org/

All of the cert stuff was hidden behind a very complex series of menuing and more. I keep saying it in different ways: This wasn't just an Apache server.

Could I have pried behind the curtain? Yes? Would it have worked? Most likey! Were there lots of big warnings about not screwing with various sections of the configuration even if I could get to them? Also yes. They really didn't want you to interact with the system beyond a few set points and that was clarified to me in a call with tech support. I didn't like it, but that's what I had to work with.

This just wasn't one a thousand bog-standard Apache rollouts that you could chuck certs into. Want your CSR? Go through their menu system to generate it. Want to install it? Upload it to this specific directory, then hit the menus again.

CertBot is fine for what it does. Great. But it wasn't appropriate for what we had.

Sounds like a valid complaint about your contract, not a valid complaint about systems which you aren't using as intended.

Another one of the servers isn't based on Apache at all, it's a compiled executable (yeah, .exe) running on Windows. It starts off of .ini files.

CertBot doesn't work everywhere for everything that has ever served HTTPS in the history of computing. This shouldn't be something I have to mention but I guess I have to do it.

> Another one of the servers isn't based on Apache at all, it's a compiled executable (yeah, .exe) running on Windows. It starts off of .ini files.

So? If you think any of what you've said means Certbot can't be used: again, it's pretty clear that you don't know what Certbot does.

Certbot works anywhere you have a command line and an internet connection, and can be automated if you have cron or a cron-like utility.

There might be a bit more complexity if you have to open a port for callback or store the certs in memory or in a database, but we're still talking < 20 lines of shell code.

> CertBot doesn't work everywhere for everything that has ever served HTTPS in the history of computing. This shouldn't be something I have to mention but I guess I have to do it.

That may be true, but so far all the examples you've given are just examples of you not knowing how Certbot works.

Really dude, I don't know why you want to have an argument about Certbot without knowing anything about Certbot. Anyone who spends a few minutes reading the Certbot docs can see you haven't researched it. Probably nobody is reading this besides me, but if they are, you aren't impressing them, and you aren't persuading me. There's nothing wrong with not knowing anything about Certbot, but it's a bit silly to pretend you do when you don't.

If there are technical reasons you can't use Certbot, you certainly haven't said any of them, and the things you think are reasons just demonstrate a lack of knowledge. Again, there's nothing wrong with not knowing things. But seriously, this would save you so much time! Why wouldn't you at least look into it?