Encrypted traffic interception on Hetzner and Linode targeting Jabber service

[silverwind]

This is actually a great suggestion and ACME providers should provide it as an opt-in feature via CAA record. Not even the provider having access to system memory could issue a mitm cert without you noticing.

[Jenda_]

The provider having access to system memory can copy the private key and use your original key+cert for MITM, unless you are using some fancy HSM.