From 34daa0c1d3099f3cc584178997f3ef2b4626d5bc Mon Sep 17 00:00:00 2001
From: justin <justin@liquidator.optimal-reality.com>
Date: Sat, 6 Jun 2026 19:37:37 -0500
Subject: [PATCH] infra: MTA-STS status note - cert pending stable HE.net DNS
 propagation

---
 infra/mta-sts/README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/infra/mta-sts/README.md b/infra/mta-sts/README.md
index 6b1d335..cef699c 100644
--- a/infra/mta-sts/README.md
+++ b/infra/mta-sts/README.md
@@ -13,3 +13,13 @@ resolves, run:
   sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
 then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
 pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.
+
+## STATUS 2026-06-07
+- DNS A record added + policy file served over HTTP (working).
+- Cert issuance FAILED twice: HE.net secondary DNS is flapping (mta-sts resolves
+  on 1.1.1.1/9.9.9.9 but intermittently empty on 8.8.8.8), so Let's Encrypt's
+  multi-vantage validation can't get consistent resolution. nginx left on the
+  safe HTTP-only vhost. RETRY the certbot command above once `dig +short
+  mta-sts.performancewest.net` is stable across 8.8.8.8 / 1.1.1.1 / 9.9.9.9,
+  then upgrade to the 443 vhost. (nginx -t before any reload — a missing cert
+  ref will break the reload.)