From Debian:
Install certbot. Using this convention, your server will not be required to be online, but you will need access to the DNS server
certbot certonly --manual --preferred-challenges dns -d www.lab.bpopp.net
You will be instructed to add a TXT entry to the DNS to verify. If successful, certs will be copied to /etc/letsencrypt/live