I'd say the simplest option is to use DNS validation (instead of http) so that way you can get individual certificates for anything you give a name to in your domain's DNS, or you can get a wildcard certificate and distribute it (or get multiple certs, but rate limits apply).
Most ACME tools let you script certificate deployment for custom distribution to other services/machines etc. For instance the app I develop https://certifytheweb.com has deployment tasks for copying via SSH, UNC etc, scripting (either local powershell or remote bash etc).
User certs (i.e.client certificates) are out of scope for Let's Encrypt (and ACME) and you generally need to run your own CA (see step-ca open source server — Smallstep for instance). If you run your own CA you need to distribute the root certificate to all your machines so they trust your CA, and nothing will be publicly trusted.