The scenario is a network of hosts all with their own needs for certificates. It might be that there are SMTP and IMAP servers are on their own hosts, separate from WWW server(s), separate from DNS server(s), etc. Not an obscure situation to be sure. Any small (or bigger) office network at least and perhaps even some number of "home" networks.
It seems silly for each one of those hosts, that has their own needs for certificates to run certbot and have to be able to manipulate an HTTP service, or expose one to the Internet, or be able to manipulate DNS records, etc.
It seems to make much more sense to have one single host in charge of requesting certificates, which alone has the ability to provide the secret that the LE server wants to be able to verify (either by HTTP, DNS, etc.,) to confirm that the requesting server has authorization for the name being requested.
This can be done through various hackish ways, such as having that single server use SSH or NFS, or SMB, etc. to distribute the certificates.
It would be much more streamlined if certbot could run on any/all of those hosts that wanted certificates, but be configured to ask it's local network certbot server (or proxy if you want to call it that) to do the handshake and request with the LE certificate service and then pass it the certificate data back when it's been supplied by the LE certificate service.