diff --git a/howto/tls.md b/howto/tls.md
index 721bc79bd785c7f9f3f75a46920a46c86d7e6725..427fc96041bac1c73fc26c1b8fc4b9ad4d936cab 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -80,9 +80,43 @@ Then remove the file.
 
 ## Pager playbook
 
- * if you get email from Digicert, ask the Tor Browser team, they use
-   it to sign code (see "Design" below for more information about
-   which CAs are in use)
+### Digicert validation emails
+
+If you get email from DigiCert Validation, ask the Tor Browser team,
+they use it to sign code (see "Design" below for more information
+about which CAs are in use)
+
+### Waiting for master to update...
+
+If a push to the Let's encrypt repository loops on a warning like:
+
+    remote: Waiting for master to update torproject.net (for _acme-challenge.pages.torproject.net) from 2021012804.  Currently at 2021012804..
+
+It might be because the Let's Encrypt hook is not *really* changing
+the zonefile, and *not* incrementing the serial number (as hinted
+above). This can happen if you force-push an empty change to the
+repository and/or a previous hook failed to get a cert or was
+interrupted.
+
+The trick then is to abort the above push, then *manually edit* (yes)
+the zonefile in (for the `torproject.net` domain, in the above
+example):
+
+    $EDITOR /srv/dns.torproject.org/var/generated/torproject.net
+
+... and remove the ` _acme-challenge` line. Then you should somehow
+update the zone with another, unrelated change, to trigger a serial
+number change. For example, you could add a random A record:
+
+    ynayMF5xckel8uGpo0GdVEQjM7X9    IN TXT "random record to trigger a zone rebuild, should be removed"
+
+And push *that* change (in `dns/domains.git`). Then the serial number
+will change, and the infrastructure will notice the `_acme-challenge`
+record is gone. Then you can re-do the certification process and it
+should go through.
+
+Don't forget to remove the random `TXT` record created above once
+everything is done.
 
 ## Disaster recovery