Highly recommend webroot mode with something similar to this[1]. Put that into a cronjob together with service nginx reload and automated zero-downtime renewal is up and running.

[1]: https://community.letsencrypt.org/t/using-the-webroot-domain...

Thanks - I'll check this out.

Good to hear. I'm hoping to start using them once they go public.

Regarding #2, do I understand correctly that domain whitelisting is just about which domains can be used with the current closed beta?

I presume so.

There may be some regulation (or suggested guidelines) about high-trust sites (like banks) that are vulnerable to phishing requiring EVs. Otherwise using the Google Safe Browsing API (as they plan on doing[1]) will probably work and is automated.

[0]https://letsencrypt.org/2015/10/29/phishing-and-malware.html

I can't wait to test it out when the Public beta will start. I am currently in the process of deploying a new webserver at work so I will certainly give this a go.