Sigh. Last selfcert I rolled was for 1200 days because I’m sick of doing it by hand. Nor am I willing to let some dingbat script go running amok writing key files as root.
I’m totally willing to let some dingbat script [of mine] run amok writing key files as root, but I’m annoyed at how many daemon processes I have that cannot read a new cert without being restarted. Issuing a new cert for me is tantamount to rebooting.
I’m not terribly against letting something auto-update my certs (though I fully understand your hesitation). Here’s the issue for me: I don’t use apache. Nor do I use nginx, lighttpd or any other common web server. I use Warp. It lets me keep my whole webpage entirely in native, type-checked Haskell (which has a ton of benefits).
Until there is an ACME-compatible library for Haskell that allows me to utilize LE, I’m probably not going to be able to use it. Having said that, I would definitely consider writing that module once I get the free time.
If the daemon were willing to share the socket, you could replace it without restarting… Check out SO_REUSEPORT.