Something I have done:
- Each server uses the same private key, so the same cert can be re-used everywhere.
- Have the one server that runs the renewal publish the certificate to an accessible URL or file share (as part of renewal hook).
- The remainder of the servers do a nightly fetch of the certificate + graceful web server reload via crontab.
It has been reliable for me and I don't think that it's a security problem because no sensitive key material is ever moved across the network.
The one enhancement I would make is that the servers which receive the new certificate should do a validity check (name + validity period + issuer + trust) using openssl, in case some smartass decides to upload a bogus cert. I haven't got around to it.