You can have everything in /.well-known/acme-challenge redirect (LetsEncrypt's validator will honor that) or proxy within your network onto a single server. Or you can use DNS challenges.
I open-sourced our solution a while back. It's overkill for your needs, but should make sense GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate
When doing HTTP validation, we typically run a single instance on a given node, and proxy all traffic onto it from the load balancer. Machines in our network query that node's API when they need an existing certificate or need to enroll a new domain. From the vantage point of LetsEncrypt, it's all one machine. Behind our load balancer(s), there could be 2-20 nodes.