Not to complicate things, but this may also be more difficult than I first thought.
- Get cert for www.foo.com - www Cert expires in 90 day
- One month later expand cert to include www.foo.com and mail.foo.com - www expires in 60, new www & mail in 90
- One month later move www server to different host
a. get www cert on new host
b. issue mail-only cert on old host.
You’re left with a www cert that expires in 30 days, a combined www & mail cert 60 days from expiration and two brand-new certs, separately for www and mail.
How would the notification process go? Certificate expansion would know the www & mail cert (2) supercede the original www cert (1), but the new www cert (3a) would have no ties to the 2nd certificate, because the shrunk mail issuance (3b) would be issued to different machines.
The more I think about it, this seems like a rabbit hole. There exist many different things to keep track of, and wildcard certificates are coming January. Once that rolls around, one needs only:
scp "/etc/letsencrypt/live/foo.com/*" otherhost:"/etc/letsencrypt/live/foo.com"
It may still be useful to get into this, but I’m unsure the effort is worth the result. My issue will be resolved once wildcards are issued.