That sounds good.
Our use-case is specifically for hosting infinite domains via ssl, without configuring a server. To do that, I built a client/cert-manager for my team – https://github.com/aptise/peter_sslers which is incredibly insecure by design.
We basically spin up ‘public’ instances for talking to ACME as needed, and save the data to postgres. we have a
private secured admin instance on our LAN that has a dashboard and api to orchestrate all the ACME work and can serve certificates (or cache them into redis). Instead of nginx, we use the openresty variant which can pull a ssl cert from memory/redis/external-api.
I’m slowly migrating our core domains onto the same certificate manager – except the internal ones use a sqlite datastore. an automated task detects new certificates, backs up the datastore, and provisions new certs to other machines. (the core domains are hardcoded into our conf; the openresty stuff works on wildcard domains which are handled differently)