We have a cluster of nodes using LetsEncrypt and the HTTP challenge. They all request their own certificates.
Each node has its own CN, but there is also a common cluster SAN entry added to each CSR.
cluster.example.com: 184.108.40.206, 220.127.116.11
The cluster A record resolves to all the IP addresses in the cluster.