Since early July the whole stack - web pages, DoH, DoT and DoQ - serves one Let's Encrypt certificate from the shortlived profile: 160 hours of validity, four hostnames plus the bare IP 194.180.189.33 in the SAN list. The short lifetime is the condition attached to free IP certificates, and it turns renewal into a twice-a-week background process that has to work unattended. That operation is now published as a runbook, read from the live system.
What the runbook covers
- Why 160 hours: IP identifiers are only issued under the shortlived profile, and the one paid alternative rejects IP requests without address-block entitlement.
- Issuance: the exact certbot command, and what comes back - an empty subject, a critical SAN extension, and a lifetime of precisely 160 hours.
- The renewal rhythm: ACME Renewal Information (RFC 9773) opens the window at the lifetime's midpoint; the lineage's own archive shows natural renewals every 3.3 days with one unchanging public key.
- The scripts, complete: the cert-watch watchdog (first alarm from the certbot exit code, a 40-hour validity floor as the second net, alerts that repeat until cleared) and the unified-tlsa.py DANE guard, published in full with a provider contract for adapting the DNS half.
- The failure branch: ~26 automated retries and just over three days of alerted margin between the first failed renewal and expiry.
The full runbook: How to Create an IP SAN Certificate with Let's Encrypt.