Let's Encrypt more or less assumes you're going to automate renewal since their certs are only good for 90 days. They have an officially-supported tool but numerous others exist since there's a well-defined protocol for renewing certificates (ACME); check their website for a list.
I wouldn't call myself a security expert but as far as I'm aware you only need one certificate covering communications with users and won't stand to gain much by adding SSL between nodes in your cluster.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.