I'm making progress! I have automatic certs locally on my own instance.
Basically just set up using the acme client and serving the challenge and the tls cert and set up the renew timer. I still need to do saving and loading to a file so it doesn't make a new let's encrypt account every restart.
I also have a plan to move the whole state file of the portal server to a root owned file and just pass an fd when spawn starts portal. That way I can make the cert root owned and the state too so certain attackers wouldn't be able to insert their own registrations or anything else.