下記参考
https://letsencrypt.jp/usage/
https://ishiis.net/2016/07/04/aws-cloudfront-with-ssl-certificates-from-letsencrypt/
sudo certbot certonly -m SOMEONE@SOMEWHERE.com -d sub.domain.com -v --agree-tos --manual --manual-public-ip-logging-ok
を実行すると、下記のようにチャレンジのレスポンスを対象のdomainでアクセスできるサーバに置けと言われる。
Create a file containing just this data: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And make it available on your web server at this URL: http://sub.domain.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
指示通りにし enter すると下記のように生成される。
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sub.domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sub.domain.com/privkey.pem Your cert will expire on 2018-12-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"