Why not keep `/etc/ssl` inside a volume mounted by each docker container and run letsencrypt outside of docker? Each docker container doesn't need its own instance of letsencrypt; it just needs access to your key.
If you use the DNS auth, its actually not bad: you can securely issue the certs on a different machine and just copy the PEM files to the right place. I used this with Route 53's API and it works quite well and is (in my opinion) superior to having to place files.
You can get a Let's Encrypt certificate manually; you don't have to automate it. There are a few options, including https://gethttpsforfree.com/ by 'diafygi, which involves running some openssl commands and pasting public keys and signatures into the web form (which in turn send API requests to Let's Encrypt). Or you can find or build a client yourself.
The only hard part is you'll have to find a way to prove ownership other than email ownership. But if these are public-facing web servers, implementing a response for the HTTP challenge shouldn't be hard, and as the website points out, you can configure all your servers to send an HTTP redirect for the challenge to some other single URL, which you can configure manually. https://letsencrypt.org/docs/integration-guide/#picking-a-ch...
This process is significantly less painful, especially on renewals, than the traditional certificate renewal process. If you're already planning on spending an hour of someone's time a year to request a renewal, pay for it, click a link in an email, etc., plan on spending 10 minute of someone's time every two months, instead. (And an hour is optimistic based on my experience.)
Your public and private keys don't change, since these are renewals. You're just updating the certificates themselves. And certificates are public data (they're sent in their entirety when you make an HTTPS connection), so you can just put them in a git repo or an S3 bucket or whatever else is convenient for your deploy process.
You think it is the same to setup renewal for Letsencrypt and a vanilla cert, but it's not.
We buy 3 year wildcard certs - Rapidssl was about 80$. From about a month before renewal, they start sending you emails and make sure you don't forget.
Letsencrypt is a good idea for larger setups with dedicated devops. For a start-up, it's the exact same argument as Gitlab vs Github.
Can confirm, Lego on k8s is really pain-free to use. Following the official documentation meant that I was able to have HTTPS running on our Google Cloud load balancer within 30 minutes.
Why does that matter? Pretty sure you don't have to change your public key to get or renew a Let's Encrypt cert.