Schoen, Osiris: Thanks for the speedy replies. Initially I tried using redirects (although, following the advice in this thread: Will Let's Encrypt work for me? (Multiple servers serving one domain) I used ProxyPass instead. But, instead of using --webroot, I just used the standard invocation (apache -d …) only to find that it did not do http-based authentication (and, of course, the TLS-SNI-01 failed). DNS-01 might be an option for me, but my master DNS server is not running on an Intel-based machine, which I suspect might present its own problems.
Right now I have certbox-auto running on each box because I initially created a cert for each box’s unique domainname (hostname -f) locally on each box. But, what I’m hearing is that if I move everything to one master box and generate all the certs there, then I can simply rsync the /etc/letsencrypt hierarchy to each of the other boxes daily and be done with it, right? (A side question: If my master cert-generating box goes away for some reason, could I just start running certbot-auto on one of the other boxes, in effect turning it into a new master, or am I hosed?)
Thanks again.