>DNS-01 doesn't have a middle ground of owning a single record AFAIK,
With DNS-01 you only own up to the domain you verified. If you verify ftp.de.debian.org then you can't issue certs for de.debian.org or debian.org but you can issue for www.ftp.de.debian.org.
I see an issue with that - but it's possible I'm too paranoid when it comes to many third parties being able to issue certificates for my domain on names I wasn't expecting.. Each to their own!
Either way - assuming restricting issuance to exactly 1 name is a solved problem.. This:
What? No.
The mirrors would just need to install a letsencrypt-compatible client and setup SSL via that.
is still a far cry from reality thanks to all the other issues.
If anything, it's: What? No. Certs are just the tip of the iceberg, even if LetsEncrypt solved that problem neatly (and they don't), you have ignored the massive complexity of the issue, both the technical and organisational issues.
It will have to be solved considering an major vulnerability was released today that allows any attacker to get root-level RCE by manipulating the HTTP Response.
HTTPS as default would have severely reduced the attack surface for this bug.
With DNS-01 you only own up to the domain you verified. If you verify ftp.de.debian.org then you can't issue certs for de.debian.org or debian.org but you can issue for www.ftp.de.debian.org.
I don't see the issue with that.