monitor certificate transparency log
we should use something like SSLMate.com or certspotter to monitor certificates issued in our place.
this could be ran on nevii, nagios or pauli. it's unclear what we should do with the output, there will be possibly be lots of false positive, as the certificates will appear in our logs every time one of our cert is (legitimitely) renewed.
it's a debian package since buster. i ran a test locally, and it's basically:
sed 's/ /\n/g;/^#/d;/^ *$/d' letsencryt-domains/domains | sort | certspotter -watchlist -
the key trick however, is to not warn when a new cert is renewed. therefore we would need to be somewhat clever and recognize our own certificates in there and filter those out.