From Debian:
Install certbot. Using this convention, your server will not be required to be online, but you will need access to the DNS server
certbot certonly --manual --preferred-challenges dns -d www.lab.bpopp.net
You will be instructed to add a TXT entry to the DNS to verify. If successful, certs will be copied to /etc/letsencrypt/live
On newer versions of certbot, no renewal command is required and renewal will automatically be setup. Run the following command to verify:
systemctl list-timers | grep certbot