There is a third option you should consider: use one certificate per server with the domains they need only, but generate them on the centralized certbot server and deploy with scp. (You’ll have to use dns authentication)
This is what we just installed : a “Certification Server” under ubuntu with certbot. This server generate and renew files, with dns auth, then copy over scp command each file on each server.
This has an important advantage over option #1: if one server (other than the certbot one…) is compromised you don’t have to replace all the certificates, just that one.
OK, we will generate a certificate by server
If you have already such a deployment with individual certificates, then you don’t need a wildcard.
Security: Best solution: One ACME-client per server, so the private key is only on that machine.
Edit: I misread. I think you should generate keys and certs in the same location you use them. I can’t see a good reason to use centralization in your case.
I understand but installing and maintain certbot on ALL our machine is very costly in time. Copy with SCP isn’t a good practice ?