Many people draw a line between one time trust and continuous trust. If this thing can update the certs on my server whenever it likes, that's substantially more trust than permitting it to install a cert exactly once. If, for example, it has a bug that permits a malicious upstream to overwrite arbitrary files, the window of vulnerability expands from "the CA is pwned this instant" to "the CA will at any future time ever be pwned".

Easy fix: Run the tool as its own user, give write permission to cert & key files to that user. If you're really paranoid, run it in a jail that only has access to those files. No different than proper security for any other system process.

Yes, I need to trust some things. But I can limit the amount of trust I need to have by limiting the number of things to run. I can add a reminder to my calendar to say "hey renew your certs", or better yet I can add a check to my existing monitoring service to look at expiration dates. Why run a whole new persistent service just for this?

There won't be any sort of requirement to allow our tools to run automatically. But the existing track record of expiring certs suggest that some people are having trouble remembering to do the renewals manually, so it may be useful to have a tool that does it automatically for people who want that.

The vast majority of sites fall into the category of "encryption would be nice, but not worth the time." All of my hobby sites (various forums, a site for my choir, etc.) fall into that category. Automagic TLS done right is an improvement from no TLS, IMHO, even if it comes with its own new set of potential attack vectors.

> Automagic TLS done right is an improvement from no TLS, IMHO, even if it comes with its own new set of potential attack vectors.

Is it really? Does it not potentially provide a false sense of security?