The entire DNS-01 provisioning lifecycle - from running a client, configuring and responding to challenges, and obtaining the certificate - can happen outside of the fragile server.
The only benefit to a paid certificate is only having to install it once a year.
If I were in the OP's situation, I would probably opt for a paid certificate for this reason. Scheduling a manual certificate installation every 2 months is silly, when you can spend under $10 to get a paid 1 year certificate. However... if there were more than 1 certificate/server needed, I would probably write something using Fabric or Invoke to run the DNS-01 challenge locally and then deploy the certificates onto the servers.