diff --git a/doc/source/letsencrypt.rst b/doc/source/letsencrypt.rst
index 260cb209f7..73bfdfac17 100644
--- a/doc/source/letsencrypt.rst
+++ b/doc/source/letsencrypt.rst
@@ -131,3 +131,23 @@ Hosts will log their ``acme.sh`` output to
 
 The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__
 tool can be useful for checking DNS entries from a remote location.
+
+Refreshing keys
+===============
+
+In normal operation there should be no need to manually refresh keys
+on hosts.  However there have been situations (such as LetsEncrypt
+revoking certificates made during a certain period due to bugs) which
+may necessitate a manual renewal.
+
+The best way to do this is to move the ``.conf`` files from
+``/etc/letsencrypt-certs/<certname>`` on the affected host and allow
+the next Ansible pulse to renew.
+
+.. code-block:: console
+
+   # cd /etc/letsencrypt-certs/<name>
+   # rename 's/.conf/.conf.old/' *.conf
+   # tail -f /var/log/acme.sh/acme.sh.log
+   ... watch and should be renewed on next pulse
+   # rm *.conf.old