I think the way Plex did it is still considered pretty much best-in-class: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/.
Note: If you are developing a Let’s Encrypt client for embedded devices, I have some extra recommendations:
- Don’t have your devices contact Let’s Encrypt directly. Instead, run an ACME proxy on your own servers. That way you have an easy way to measure how much traffic you are generating, and switch it off if your devices get out of control (this is unfortunately common). This also means you can control for future API changes.
- Make sure you can auto-update and restart all your devices in a rolling fashion (i.e. not all at once).
- Your devices should have persistent storage, and should write not only the account information, but also the status of errors and retries to that storage. This ensures that you can properly handle backoffs, and that devices don’t always start hammering the ACME server on restart (this is a pattern we’ve seen with lots of IoT devices).
- Each device should pick a random time of day to check status and renew. Don’t have all devices renew at midnight.
- Follow the best practices at https://letsencrypt.org/docs/integration-guide/.
Thanks,
Jacob