Well, HAProxy obviously needs to know about the certificate somehow. But isn’t a HAProxy configuration change necessary anyway? Because you’ll need your software to respond to the new customer hostname, right? Or is that handled by the webservers downstream of HAProxy? Is TLS passthrough an option?
Also, I’m not familiar with HAProxy, but does it have some sort of “include” directive for its configuration? It would still need a reload of some kind (but that is also true for e.g. Apache or nginx), but perhaps it would make the configuration less “cluttered” if the separate TLS statements are separated in a configuration file per customer/custom hostname and perhaps grouped in a distinct directory.
--standalone option, it’s required no webserver is listening at that moment. You probably don’t want that. Isn’t it better to use the webroot challenge?