In the meantime I’ve found an easier way that involves no custom scripting: Mounting the webspace directly into the filesystem using CurlFtpFS and using the webroot plugin provided by the official client.
$ curlftpfs -o ssl,no_verify_hostname ftp://username:password@ftp.hostname /mountpoint/ftp.hostname
$ letsencrypt-auto certonly --agree-tos --text --rsa-key-size 4096 --webroot --webroot-path /mountpoint/ftp.hostname --email contact@hostname -d hostname -d www.hostname
$ fusermount -u /mountpoint/ftp.hostname