I haven’t had a chance to do this yet but I plan to setup a cron job to get a cert out of their client (or maybe using something like https://github.com/diafygi/letsencrypt-nosudo) and then scp (or ftp) it to the server(s) that need it. Is it okay for your FTP server to run a webserver long enough for validation of your domain? Or can you have the FTP server forward all 443 traffic to another machine that can run one?
If you can only ever run an FTP server on your target machine; you could repoint the DNS record to a server you have full control over and have that machine forward all FTP traffic to your FTP server and handle the 443 https stuff. But this has a few big downsides: all FTP traffic will be proxied through the second server using its its bandwidth and creating another failure point…
Even if you pay for a cert, the certificate authority will have a process to verify domain ownership. Often they allow you to just add a DNS txt record.
–edit–
LE does plan to implement verification by txt record: https://letsencrypt.org/howitworks/technology/