Hi @numnum,
I would add that Certbot (the client that we develop at EFF) is normally run with root access (but doesn't have to be) and normally tries to edit web server configuration files (but doesn't have to do so). If I were a shared hosting provider, I would not really want to run Certbot as root to edit web server configuration on behalf of a single customer, just because of the remote chance that it might cause a reliability problem for other customers.
The hosting provider can try to set up some kind of official support for Let's Encrypt for all of its customers using software of its choice, or can run a number of clients, as @ahaw021 pointed out, to obtain certificates without running as root and without automatically editing the server configuration files. I think the clients implemented in bash could be a good choice.
In any case, the provider should consider how the certificates will be installed once they're obtained, and how they'll be renewed when they expire (every 90 days).