Let's Encrypt behind ACTIVE/BACKUP keepalived (VRRP)

One thing to consider in general when doing this is that certbot renew checks OCSP to see if any existing certificate has been revoked by the CA. That means there is some delay per-certificate and also some use of network resources associated with each time it's run. In some contexts, that could be trivial or irrelevant.

I did see a server once with a really huge number of certificates managed by Certbot, and certbot renew ended up taking an unreasonably large amount of time because of the OCSP queries even when there were no renewals due. This and other phenomena have convinced me that Certbot doesn't scale up very well for managing large numbers of certificates.

I'm not suggesting that these considerations are relevant to @ralphwatson's situation, but I just want to note this whenever someone suggests that there's no reason not to run certbot renew on an arbitrarily short interval. With enough OCSP checks in play, you would actually start to miss some of the certbot renew invocations—they would give up immediately as an older renewal process still held the Certbot lock!