AS3 w/ certificates and renewals..

I appreciate the response.   We have already made an extensive investment in AS3, so we are not backing out of that.  For the new setup, we are forgoing the Python script that we used in the past to renew certificates - due to it breaking the source of truth of AS3.

So I have some ideas, and we do have the Ansible Automation Platform (AAP), so I think we will be writing a playbook that will basically do the following:

1. Use a home-made python based AAP plugin that will scan all the files in our GitHub repository.  It will return a list of files that have expired certificates within, based on a threshold date. 
2. Read in each file into a JSON variable, this would be the entire declaration.  I am doing this, so it will be easy to literally pull out the certificate(s) into a separate variable using JSON/YAML references. 
3. Pull out the Common Name and any SANs from the existing certificate.
4. Generate a new CSR / private key based on info above.
5. Using ACME, generate a new certificate.
6. Insert the certificate and new key into the JSON/YAML structure (again using the references, using an assignment).
7. Write out the JSON/YAML structure to a file, and upload up to Github, replace what exists (new version, and all).
8. Do a push and pull request (all automated).
9. Then run the two plays I have that fetch the declaration from GitHub and deploy it (thus renewing the certificate) -- all using the source of truth.

I am sure you saw that I am uploading the certificate and key to the GitHub repository.  Right now  -- yes -- probably a bad practice, but one we are following until we get everything migrated.   The GitHub repository is private to myself and the service owners (white list access only), which is a stopgap.   During and after migration -- I will be working on pulling the private keys out, and putting references there instead, that I would read and fetch the appropriate private key from a safer storage location, and then insert it into a read in declaration  -- then deploy it, all from memory, and the private key is purged from memory once the playbook ends.