I'm not familiar enough with docker to comment on what the best solution would be. That being said, instinctively I would say that a certificate is something that should be provided to docker instances as part of the configuration and not acquired whenever you launch a new instance (you would run into rate limits quite fast).
With DNS-based validation you have to create a TXT record on your domain with a random token. If you can automate creation of TXT records from your setup, that would be an option to solve the challenge. The rate limit issue still applies.
IIRC authorizations (solved challenges) expire after 10 months, so you could get up to 13 months of certificate coverage out of one solved challenge. The official client doesn't support this yet, it will request a new challenge token on every run.
With DNS-based validation you have to create a TXT record on your domain with a random token. If you can automate creation of TXT records from your setup, that would be an option to solve the challenge. The rate limit issue still applies.