While the need for encrypted web sites has been sufficiently motivated by countless revelations on state sponsored surveillance or malevolent ISPs, acquiring a LetsEncrypt certificate used to be a tiresome business, and usually certificates broke anyway. openSUSE Leap 15 will be the first long term distribution to provide automated certificate requests and renewals thanks to dehydrated, which is also available for older distributions via OBS. This talk will show how to quickly acquire certificates for a single host and ensure that they will be automatically renewed and how to orchestrate certificate renewal for a whole fleet of servers and services via DNS. Finally, we will also look into further and future simplification for single services, such as Caddy or Apache's mod_md.