You could even use a RaspberryPi for such a simple task.
Or any other physical (or virtual) system running Apache or NGINX.
If needed, it could essentially be set to never “interact” with any internal systems at all.
Bring those two tasks down to just one task: Forward ALL requests from HTTP/80 to HTTPS/443.
LE will follow such a redirection.
[Also: doesn’t have to be standalone - but that may better delineate the security “perimeter”]