下記参考
https://letsencrypt.jp/usage/
https://ishiis.net/2016/07/04/aws-cloudfront-with-ssl-certificates-from-letsencrypt/

sudo certbot certonly -m SOMEONE@SOMEWHERE.com -d sub.domain.com -v --agree-tos --manual --manual-public-ip-logging-ok

を実行すると、下記のようにチャレンジのレスポンスを対象のdomainでアクセスできるサーバに置けと言われる。

Create a file containing just this data:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And make it available on your web server at this URL:

http://sub.domain.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

指示通りにし enter すると下記のように生成される。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub.domain.com/privkey.pem
   Your cert will expire on 2018-12-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"