As far as I know, domain verification lasts for a while, I think it was longer than 90 days for certificate, but eventually it has to be repeated, it's not valid forever.
DNS hosters without API access may be a problem for now, but it will get better, when people start to request this functionality (and Let's Encrypt is a good reason why they would do that). If yours doesn't want to do it, there are others to choose from. I wouldn't view this as THE problem. For now it's zero support for this in RouterOS. It's of course nice that I can do it with external Linux server, but if I don't have one already, it's highly impractical to get it just for this.
And when you think about it, it shouldn't be hard at all. Take the DNS method. RouterOS can already work with certificates, so it needs to extend it, so that you can request a certificate to be signed by LE. If you check some of the simpler clients (e.g. https://dehydrated.io/
), there isn't too much to do. When it would be about to happen, there would be an event (hook), where you could put your own script to update DNS records. If the hoster's API would be based on http(s), then fetch tool in RouterOS should be all what's needed. It it would use standard DNS updates, RouterOS already has a tool for it, only so far it's limited to A records only. But that's the most of it already implemented, extending it to also support TXT records can't be hard. And that's it, happy end.
And actually, RouterOS could not only update records on remote server, it could BE the server. Not the full authoritative one with all bells and whistles, but only with basic functionality to serve TXT records, when you'd point _acme-challenge subdomain to it from main server using CNAME. Again, most of what's required for this is already in RouterOS.
Ok, I got a litle carried away with the last one, so forget it. But the rest is not hard. It's not 100% perfect solution for everyone, but it's important to get started.