@Andrew I agree with you that you should not be forced to install a certain software (modifying your configuration files) on a production server to use let’s encrypt and if you read the documentation it also is not at all necessary.
You can for example use the docker version of the LE client and run it on any other machine you want for verifying the domain. The only thing you need is a simple proxy_pass rule (nginx) to another host where you run the client or docker container if you also do not trust the docker container security.
I described such a solution a few days ago in the LE forum.
So in general I think your demand is reasonable but can be resolved easily.