It depends what exactly you mean by “limited internet access”. Can it connect to the other server? Can it connect out to the internet? Can the other server connect back to it?
If your DNS service has an API that allows you to make scripted updates, then you can use DNS validation to renew the certificate on the second server.
If you can configure the first server to proxy requests for
/.well-known/acme-challenge/* paths to the second server, then Certbot should be able to renew normally on the second server. Certbot’s apache plugin should be able to bypass this proxying when renewing the first server’s own certificate.
Another option, if you use the
--reuse-key option when renewing the cert on the first server, then you only need to get the new certificate onto the second server, you don’t also need to copy the private key again in that case. So you can use a less secure method of copying, such as connecting to the live server and extracting the certificate using openssl, or downloading it from crt.sh.
If none of these options works for you, you can just copy everything from the first server to the second every time. If there is a network connection between them you may be able to automate this e.g. certbot’s
--deploy-hook option allows you to specify a script that runs after every successful renewal. Be careful to use a secure method of copying if you are indeed copying the private keys.