This is why self hosted to me means actually running it on my own hardware in a location I have at least some control of physical access.

That said, an ISP could perform the same attack on a server hosted in your home using the HTTP-01 ACME challenge, so really no one is safe.

HSTS+certificate pinning, and monitoring new certificates issued for your domains using Certificate Transparency (crt.sh can be used to view these logs) is probably the only way to catch this kind of thing.

Good suggestions at the bottom.

There are several indications which could be used to discover the attack from day 1:

All issued SSL/TLS certificates are subject to certificate transparency. It is worth configuring certificate transparency monitoring, such as Cert Spotter (source on github), which will notify you by email of new certificates issued for your domain names

Limit validation methods and set exact account identifier which could issue new certificates with Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding (RFC 8657) to prevent certificate issue for your domain using other certificate authorities, ACME accounts or validation methods

More discussion https://news.ycombinator.com/item?id=37955264

Post title is missing Linode.

Yes. All hosting providers will comply with requests from law enforcement.

Signal and proton mail were forced to hand out information as well in the past. All you can do is choose which provider you distrust the least.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

[Thread #232 for this sub, first seen 22nd Oct 2023, 23:05] [FAQ] [Full list] [Contact] [Source code]

Is it tame for selfhosted to switch to DANE?

My domain has two certs issued to it. Am I in trouble?