same opinion here, also even though automation is great people may want control about whatever runs on their production servers.
is you use automatic mode who knows what might happen especially with beta software that updates itself and its dependencies (which may not be desired either).
with manual mode you can run the CA relevant stuff on another machine where not much harm can happen, also you can generate the keys and csr on a production server, so that wont be a problem either.
also LE doesnt actually notify you about the success or fail of an auto-renewal, making stuff even more compliicated…
with manual issuance and longer lifetimes ppl know what’s going on and can do what’s needed by themselves directly, rather than having to check whether their cert has been properly renewed every 60 days.
also SHA1 sunset only affects REALLY old stuff that is already out for waay 2long.
one of the worse offenders is XPSP2 which has been pretty much EOL not just since already 2 years ago but ever since SP3 released (April 28 2008) because of MS’s “you need the latest OS Updates” policy, which is in my opinion completely.
but the Problem is that SHA1 certs may get serious attacks in the near future, especially since a collision has been found (before anyone tries to kick down this point note that I know that a free collission is not equal to a pew-image attack much less on a pre-image attack that relies on a special structure (in this case x509 certs) and that those are harder to compute, but large attackers with high volumes and Moore’s law will have a way to break SHA1 certs sooner or later, which is also the reason we shot down MD5,wasnt it)
one very intresting point would be if the CAB would create an extension that the browsers see are sure-fail condition (similar to TLS_FALLBCAK SCSV or whatever it was called) which could be used on certs specially intended for legacy clients which then could be used with SHA1, but that’s another story.