Re: Minor arse-ache
Well, if you manage to cock up *that* simple of a command, multiple times even, you should seriously be considering a career change. To one that does not involve electrons.
The problem is that all it takes is one cock up (e.g. "up enter" accidentally re-running the update command, in an environment primed with "update often" where re-running an issuance command is not expected to be able to knock everything offline). Or even in some cases no cock up at all is required; the company referenced earlier basically did this:
* Set short update interval (which is encouraged, given short cert expiry times!)
* Migrate several subdomains from a commercial cert to LetsEncrypt over a period of several hours (this was before wildcard DNS, the systems involved were quite complex, and under no circumstances was "shut it all down for hours to enable a single, untested cert migration" an option)
* Test the automatic update system with one last manual update. Oh bugger, API request limit hit with that last test, no way to override, sites offline, scramble for commercial cert.
When the limit is hit it shouldn't immediately knock out requests for days. It should soft fall back to minutes and maybe increase over time to hours then days, and in all cases LetsEncrypt should always be able to override it (possibly for a small fee if it was customer induced stupidity versus an external attack).
In fact there's some concern a neer-do-well could effectively knock sites offline via a DoS attack using this little known "feature" of LetsEncrypt, though I haven't really looked into it in detail.
And don't give me any bull about LetsEncrypt having a useful staging environment. It literally goes after your public Web servers on your production domains to even issue the certs in the first place, so you can't have a fully isolated staging environment that would have prevented the sequence above.