Would it need access to the private keys at all?
I thought of making a cron script or something. have to figure out how to serve a file from nginx for the verification instead of having to start the python http server
So I've been looking into this, and it appears the there's not really a set renewal process for ACME (yet). So, until the standard for renewal is settled, we'll just have to create new CSR's and request they be signed every 90 days. NOTE: I made a tiny script to this via cron (acme-tiny).
Anyway, I'm closing this issue until there is an official way to renew.
It would still be helpful to mention something in the README about the state of renewals. Every user of this project will soon find that they are interested in the topic of renewals, especially automating them.