Some pointers on Let's Encrypt and load balancing.

It really depends if you're using a seperate appliance to offload HTTPS or if it's handled by the servers in the pool themselves. In the latter case you should probably use the Central Certificate Store feature of IIS. You can create the certificates while running WACS with the parameters --store centralssl --centralsslstore C:\Path pointing your your CCS path.

You can have a single server act as a renewal server running WACS, which means its a single point of failure, but only a minor one because certificates only need to be renewed once every three months. To distribute the task of renewing, you should point the ConfigurationPath in the settings.config of WACS to somewhere on your SAN, so that any member of the pool can potentially renew the certificates.

If you're building an actual cluster, you can use a Clustered Task instead of a regular Scheduled Task could be useful for reliability running WACS. Otherwise you can just configure the Scheduled Task on different machines at different times, e.g. one at 4:00am, the next at 6:00am, etc. Then you can be sure that they will not run at the same time and the first one that succeeds handles everything.

The encryption for the config files will have to be disabled via settings.config so that all machines in the cluster can read the passwords.

If you are using an appliance then you have to use their API and call into that from a .bat/.ps1/.exe using an Install script.