Why can’t you just have a long lived internally signed cert on your archaic apps and LE at the edge on a modern proxy? It’s easy enough to have the proxy trust the internal cert and connect to your backend service that shouldn’t know the difference if there’s a proxy or not.
Or is your problem client side?
Automated certificates are relatively new and pretty neat. Killing off the certificate cartels is an added bonus.
You could try a path unit watching the cert directory (there are caveats around watching the symlinks directly) or most acme implementations have post renewal hooks you can use which would be more reliable.
You could try using the DNS challenge instead; I find it a lot more convenient as not all my services are exposed.
MechaHitler.