Even with dozens of sites, especially if each site has its own "web admin" handling its own system I think tackling it one site at a time may be the easiest approach, by having each one installing an ACME client (like certbot) and configuring their own system. Once the initial effort is in to have it installed and working, then it's automated from then on and just requires monitoring.
If you really want the centralized system, I think there are off-the-shelf tools for automating everything, but others here can probably give better recommendations than I could.
Depending on your architecture for running your various sites, if you want to handle it from the network/firewall approach to just "put something in front of it", you may want to look at software like Caddy to run your sites in front of your existing systems, have the existing systems stop handling certificate installation at all, and just let Caddy handle acquiring certificates as needed.
I think for more specific recommendations you'd need to say more about what kinds of systems/software you're using for running your web servers.