Thanks @bluepuma77 , that's very helpful. I guess the race conditions happen only when a cert gets renewed and that's months away, so it's not an issue.
I suppose that I could also copy over just the one cert into the other server (that's also running other sites)?
The other solution would be to use DNS validation, but I don't typically control my clients' domains.
I've seen some stuff about CNAMEs that I don't quite understand.
If the client makes discourse.example.com a CNAME to example.mydomain.com is there a way to the the DNS challenge resolve to my domain, so I can do it that way? I see topics like this one. I think that won't work because I have to control more than just the single hostname, like this says: