I have various users on my system that need access to ssl private keys, so I use group ssl-cert for them, but uacme always sets umask such that private/* and key.pem files all end up not group readable. Would be nice if there were an option to allow group reading (setting correct group is handled because I have g+s on private/ in my case)

uacme sets permissions on keys and directories only when it creates them. It never touches permissions of an existing file or directory. You are therefore free to change permissions as you like. Note there is also an option (-n) that prevents uacme from creating any file or directory. This is useful if you'd like to provide your own keys, which you can generate with openssl or gnutls.