"herd immunity" is a good argument; but herd immunity exists for outliers. The people who for some reason cannot get a vaccine, yet they are not exposed to the hypothetical disease because everyone they are surrounded by is immune.

That's kinda my argument, not that https is bad. I agree with widespread adoption and taking it as a default even for a static page.

But in my environment I have many dozens of nodes and idk where letsencrypt is going to come in because of geobalanced DNS. I also serve many domains with this project so I don't have the nice DNS-01 ACME verification features because not all DNS providers have an API.

So I have a web server on each node, which reverse proxies .well-known/ to some central server that runs certbot. Then I distribute those certs outwards to those nodes.

It goes against certain sysadmin principles about transportation of private key materials, but it's what works.

But; given that architecture which caters for a latency sensitive product; letsencrypt is a serious overhead. To the point where I'm considering going back to 2y paid certs.