Want to share my solution to the multiserver problem with letsencrypt.
Configuration of 3 servers.
one (primary) letsencrypt server.
2 alternate servers

Everything is done on the primary server with sites synced using rsync to secondary servers.
to renew:
1) Stop nginx /apache deamon on secondary servers as cron job
2) Letsencrypt runs on primary server (renew as cron job)
3) Primary server creates Diffie–Hellman–Merkle cert using openssl (as cron job)
(might add in here to create new ssh keys each time)
(may also add something for DANE X.509)
4) Two other servers sync site and certificate (rsync as cron job)
5) Two other servers come back online (as cron job) with uptodate certs.

In the future I want to allow website logon using certificates over users and passwords.
(Also looking at 2FA using TOTP and FIDO)