search this forum for ansible puppet etc
There are no best practices around this as the environments are quite different and it’s not really a Let’s Encrypt problem space.
Distributing things (keys, configuration files) in a Virtual Environment is a general linux problem
A) Certbot does have --post-hooks for running scripts etc
B) https://serverfault.com/questions/117072/a-system-for-distributing-ssh-public-keys
C) Use a password management solution - https://thycotic.com/
D) Put certificates in to a database and then have servers connect to the database to pick them up
As I said this is more of a google and find something problem.
The way most clients work is that they obtain the certificates and dump to local filesystem
I am not aware of any clients that have agent/ssh/ansible plugins
Andrei