You should try Caddy -- it's even easier.

No, and then when it's down you can't update the certificate.

No, there are other free CAs too, and ACME clients can let you enable automatic fallback, so you literally don't have to do anything to fix it: https://github.com/caddyserver/caddy/pull/3862

I don't want to run a certificate server.

I serve nothing worth encrypting and never will.

For auth. I use: https://datatracker.ietf.org/doc/html/rfc2289

Quantum safe for eternity.