Oh wow, if you're good with Paramiko... Fabric is pretty much writing pseudocode around that.
I have at least 8 active projects that use Fabric to manipulate and deploy Certbot procured assets as needed. I run my own client for a specific work project, but it's overkill for everything else. I originally leveraged Certbot for everything and used the --deploy-hook, but that started to become difficult to manage. For simple things I still use the deploy hook, but for more complex things I just have a Fabric script on cron to analyze the certbot directory for new data (and I store everything in sqlite3 so it's easy to recall and do metrics against), and then I can take appropriate actions. This gives me a bit of reassurance, because my procurement failures are isolated from my deployment failures -- so I can more easily recover from the rare occasional issue.