With 100-ish certificates and 3 front-ends, you really can do either approach and everything will be fine.
If you're expecting to continue to grow beyond ~100, or have more front-ends (even as a future possibility), I'd very much encourage you to take the opportunity now to do #2 instead. Your pros/cons are good, but I'd also submit:
- You have only one place to make ACME related changes, reducing the likelihood of stale certs hanging around, failing, and potentially causing your account to someday get paused.
- You'd be ready to increase to 4 or 5 loadbalancers/proxies without having to worry about such an increase running afoul of Let's Encrypt's per-registered-domain rate limits.
- You would have more control over your own downtime, because such a system only needs Let's Encrypt to successfully issue fewer certificates, and you only have one server with logs and metrics related to cert issuance that you need to monitor.
Do take a look at the Integration Guide. We we suggest your central server idea, and I think it's probably your best bet.
Also, acme.sh is good software, but I'd highly recommend that you make sure to update to a version that includes support for ARI, whenever such support is added. That's also in the category of controlling your own downtime in the event of a mass-revocation issue.
Hope that helps!