I scripted LetsEncrypt renewals through DNS validation for any webservers that hog port 80 on which HTTP validation won't work.

It's the first time I'm making a little tool that uses several scripts, first time I'm doing REST calls to an API and lots of first-times in powershell code. The flow is essentially:

• Server notices his SSL certificate is within the renewal window, and kicks off a script asking my management server for a new one
• Management server notes who asked for a cert and asks LetsEncrypt for a new (or renewed) certificate
• LetsEncrypt answers with some TXT records to verify ownership
• Management server kicks off a second script authenticating himself to my DNS providers API through some REST calls. Eventually gets a token that allows him to create a new record and puts in value provided by LetsEncrypt
• Goes to sleep for 10 minutes to let the record propagate
• Wakes up, tells LetsEncrypt to do the verification of record and then gets the new certificate.
• Management machine checks which server requested the certificate, and kicks off an installation script if it exists. For IIS servers, it copies the cert over through a PSSession, installs it in the right certificate store, creates a 443 binding in IIS and attaches the new cert.
• Management script completes
• Webserver continues on its merry way

It's probably a terrible design. I'm sure I'll look back at it in a couple years and cringe. I should have just made a local ADCS. There's lots of things I should have done, but for now it solved an issue, I'm proud of the end result and I learned a lot along the way.