> There are now several new web servers that can automatically fetch and
> renew SSL certificates from Let's Encrypt.

Some thoughtful comments from a GitHub issue about why this may not be a
good idea after all:

 > I see, why one would want to make certificate renewal via Let's
Encrypt as easy as possible. On the other hand, I would not want the web
server to take over an important role in the renewal process. It would
inter alia require that h2o has access to the private key. But at least
in the FreeBSD community there are quite a few of us, who do not even
let the private key sit in the same FreeBSD jail as the web server.
 >
 > There is an increasing number of great tools out there specifically
designed to efficiently and safely manage the complete ACME process
(e.g. acme-client, which recently became part of the OpenBSD base
system). I certainly would not use a similar feature built into h2o.
Especially for a task that would run only once every 2-3 months (per
domain).
 >
 > I would much more advocate good documentation on how to structure
h2o.conf to easily integrate Let's Encrypt certificates. Or else, we
could think of a small shell script or online tool to help with the
necessary steps (we could use some ideas from the Mozilla SSL
Configuration Generator).

<https://github.com/h2o/h2o/issues/473#issuecomment-254129064>

So perhaps it would be best if operating systems shipped with a standard
Let's Encrypt client and conventions for how to use it. Then web servers
could hook into that.