our org forbids plain http

is redirecting http to https also out of the question? because let’s encrypt HTTP-01 accepts http -> https redirects:

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates.

Half a dozen sounds like a lot, kinda curious what you are running? If they all are web services maybe use a reverse proxy or something?

Depends on which DNS service you are using, a plugin might already exist that would do it for you. e.g. I use cloudflare for DNS and certbot is able to automatically set the txt record.

Well it should be as short as possible while still being practical. LE doesn’t have infinite server compute, renewal also takes some amount of time, plus if they make the validity too short people might stop using them (pretty evident judging from sentiment here) and move to other CAs and make what they do pointless.

45 days are still plenty of time yet people are already complaining. Does make me worry.

You can already get 6-day certificates if you want to https://letsencrypt.org/2025/01/16/6-day-and-ip-certs

I’m sorry but if you aren’t using automated renewals then you are not using let’s encrypt the way it’s intended to be used. You should take this as an opportunity to get that set up.

Wait, how’s this worse? This makes the Internet safer by reducing the window a leaked key can do harm.