This was the thread I was trying to point you to: Please avoid “3 0 1” and “3 0 2” DANE TLSA records with LE certificates. It seems like the missing piece for you is easy automated renewal without rotating keys. There’s a Certbot issue open for that.
1 Like