This function is usually the responsibility of a load balancer (like AWS ELB; which automatically keeps certs up to date and has reverse-proxying capabilities). But if you want to make your own, I think the only way to renew certs at runtime is to have an nginx/apache proxy in front of your ktor server. Those servers can integrate with letsEncrypt certbot, which will swap the certs at runtime.
Your nginx/apache proxy would be running on port 443, terminating TLS, and forwarding unencrypted traffic to your ktor server. But at this point, if your reverse-proxy logic is simple enough, then nginx/apache could probably perform the reverse-proxying; making the ktor server redundant.