My 2¢:
For multi-node networks, I think the best strategy is to terminate SSL on the load balancer. This leaves you with a single node that needs a LetsEncrypt certificate, and avoids nearly every issue with coordinating serial ACME provisions or copying certificates from one machine to another. (Another side note, I see no tangible security concerns with sharing certificates and keys across machines).
If that isn't an option, my choice for next best option is to have the load balancer route ALL traffic for /.well-known/ to a specific backend server, and to run Certbot (or whatever client) on that machine. You can then use the hooks in Certbot to trigger copying the certificates from one machine to the others, and then restarting whatever daemons terminate SSL. This can also be done in a daily/nightly crontab, but I prefer to do this on-demand -- there are a handful of edge cases that are caused by a single site switching between two certificates.
Recap:
So, given this situation:
LetsEncrypt <--> Load Balancer <--> Backend Pool: [Backend-A, Backend-B]
I would prefer to run things as:
LetsEncrypt <--> Load Balancer `/` (runs Certbot)
But I would otherwise run things as:
LetsEncrypt <--> Load Balancer `/.well-known` <--> Backend-A (runs Certbot)
In no situation would I recommend provisioning separate certificates for BackendA and BackendB:
- That solution will not scale due to the Duplicate Certificate Rate Limit so you're assuming Technical Debt
- If there is a bug on implementation, you can use up the Duplicate Certificate Rate Limit, and will spend hours to triage and fix the situation
- There are edge cases in these setups with some browsers
There are other ways to handle this, but these two are the easiest IMHO.