leave out private key generation, or at least split it to another optional task file (possibly with delegate_to: localhost)
(people may not like generating private key on production host)
don't clone the full acme_tiny repository but just get_url the RAW file
makes renew-certs.py a simple shellscript
use openssl x509 -text -in /dev/stdin |grep 'Not After' to see if renew is needed, rather than filesystem timestamp
delegate_to: localhost) (people may not like generating private key on production host)get_urlthe RAW filerenew-certs.pya simple shellscriptopenssl x509 -text -in /dev/stdin |grep 'Not After'to see if renew is needed, rather than filesystem timestamp