Not sure if you use OPNSense, but the acme plugin allows you to automatically upload certificates (via ssh) to the appropriate servers whenever the certificates are updated.
One other way would be to use a reverse proxy internally (if you only need SSL for web interfaces).