As you’ve already determined, there are several ways in which this can be accomplished.
A couple of the options that I would investigate are Vault Agent or VaultBot
VaultBot, based on CertBot, is purpose built to retrieve and update certs on web servers. Vault Agent, on the other hand, is more general purpose and can retrieve any supported secret type in Vault, drop it in a file, and optionally run a command at the end. Vault Agent is built into the normal Vault binary and leverages HCL for configuration - the templating feature (where to write the secrets) may be a little tricky to sort out at first, at least it was for me.
In any case you’d need to set up an appropriate authentication mechanism for your server. I recommend using the cloud-native options first (e.g. AWS, Kube, etc.) and fall back to AppRole if you have no other viable option or you’re using a shared service that you want to further segment access.