Infrastructure Design Question SSL Certs

Im currently designing a network, mostly from the ground up. All Linux based services, roughly between 50-100 VMs in use at any given time (some services expand as needed). The services are all internal use. I'm using acme.sh to generate certs from LetsEncrypt via API. Not using a local cert authority. My question is, for all of the various services what is the best approach to managing them, I can think of two options: A) Single primary server, generate an edge cert *.domain.tld, and then all services/servers get a copy of the cert. B) Every server gets their own cert machine.domain.tld and service.domain.tld and manages their own updates. Certs would be used for a wide variety of services that need/can have it, from user facing web services, zabbix, logging, sql, whatever. If it can have an SSL cert, it gets one. Period. I'm leaning towards option A. While this does create a single point of failure/security concern, managing and updating certs across the board can be easily automated, but B the more traditional method doesn't expose a potential edge cert to compromise and prevents the single primary server going down from taking down the entire network, or at least causing a metric ton of alerts when it does. Also using B would increase the time to provision new VMs as they each need to go through the acme.sh process to get a cert. So first question, am I being stupid for even considering option A? Did I miss a whole technology that manages this already? (that isn't a self-hosted cert authority, mandate from upper non-tech management that have had a 'bad experience' with it before. . .), is there a better way to manage certs like this at scale? Do I second guess myself too much? Appreciate any advice given.