suggestions

[drzraf]

• leave out private key generation, or at least split it to another optional task file (possibly with delegate_to: localhost) (people may not like generating private key on production host)
• don't clone the full acme_tiny repository but just get_url the RAW file
• makes renew-certs.py a simple shellscript
• use openssl x509 -text -in /dev/stdin |grep 'Not After' to see if renew is needed, rather than filesystem timestamp