I copy the same certbot account settings and private key to all servers and they obtain the certs themselves.

It is a bit funny that LetsEncrypt has non-expiring private keys for their accounts.