I used the ZeroSSL commands to manually create, and later update, my cert but since those instructions don’t include the email parameter (which I thought was going to be updated) I don’t get reminders. How can I set it up to send reminders without having to go through the whole creation or renewal process again? Currently I have reminders configured through SSLshopper but would like it to be tied to the actual cert generator.
As specified on https://github.com/do-know/Crypt-LE and in the list of client parameters (also in the examples given if you run the client with --help), if you did not specify your email initially, you can update it later as follows:
This parameter has nothing to do with renewal as such - it updates the contacts for your account (so you should be able to receive reminders against the domains linked to that account). You can run that at any time but there is no need to do that more than once unless it’s another account or you want to change contact data. There is no harm in running it as often is you like though (as far as I know, there’s no rate limiting on that). Keep in mind that update-contacts is a separate command and if that parameter is used, renewal parameters will be ignored.
Since the account key does not bear the information regarding whether it is test- or live-server related, indeed --live option would apply the changes to live server, while not having that option would apply the changes to test.
Just a quick update - in v0.28 released today you can remove your contact details completely by specifying "none" for --update-contacts. So to do that on the test server, you will need to run the client like this:
Regarding to how Let's Encrypt notifications work in general, I believe misusing those to the point where they actually cause any significant harm would be rather unlikely. However, it might make sense indeed to add some form of verification, perhaps combined with the verification of the domains themselves.
For example, for the completely new account the contact details would only be set upon successful verification of the domain(s) and only if the email belongs to the verified domain(s). Further contact updates could then limit acceptance of email addresses to any of the domains successfully verified by the account previously.