I vaguely recall that for certbot, there’s something like you are doing for acme.sh (thanks for pushing this!), but I can’t find it just now. Will update this post if I find it.
That said, it eludes me why one should rotate the private key frequently. OTOH, exercising the process might be enough justification in itself …
Stay secure,
Peter
https://github.com/tlsaware/danebot:
danebotis acertbotwrapper that helps to avoid SMTP outages due to mismatched TLSA records resulting from a Let’s Encrypt automated certificate renewal.
Hi there!
If you are still using dehydrated - like me 
- the following hook might be interesting:
Cloudron recently added support for using domains hosted on deSEC. They are currently facing some issues regarding DNS-based Let’s Encrypt challenges timing out. Cloudron is an amazing product that I think aligns with the ethos of deSEC. Maybe someone has an idea how they could solve their issue and bring full deSEC support?
Thanks, I’ve included it in the top post.
Stay secure,
Peter
uacme has a 3rd party hook for doing DNS-01 challenge; GitHub - ndilieto/uacme: ACMEv2 client written in plain C with minimal dependencies
Hi quite,
Thanks for your message, and welcome to deSEC! 
We’ve added your suggestion to the list at the top.
Stay secure,
Peter