The official Let's Encrypt client, certbot is, as the elementary school saying goes, “stoopid and has lice on brain”. A sane client, dehydrated, exists but it sadly does no automation at all. So here's a list of steps you need to do.
Install it:
# apt install dehydrated dehydrated-apache2
Required global config: put into /etc/dehydrated/conf.d/global.sh; PRIVATE_KEY_RENEW is required for cert fingerprint stability for TLSA.
CONTACT_EMAIL=your.email@address.xyz
PRIVATE_KEY_RENEW=no
Put the list of certificates to obtain: one cert per line, list all alternate domain names for that site; into /etc/dehydrated/domains.txt.
example.org www.example.org
my-mirror.xyz www.my-mirror.xyz ftp.my-mirror.xyz http.my-mirror.xyz
Run it manually once:
# dehydrated -c
If you run a daemon that drops privileges early but is setgid, do:
[~]# addgroup --system ssl-cert
[~]# cd /var/lib/dehydrated
[/var/lib/dehydrated]# chown root:ssl-cert certs certs/* certs/*/*.pem
[/var/lib/dehydrated]# chmod g+x certs certs/*
[/var/lib/dehydrated]# chmod g+r certs/*/*.pem
And to reset the permissions on renewals, you need the following in your hook script:
function deploy_cert {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

    chown root:ssl-cert "$KEYFILE" "$CERTFILE" "$FULLCHAINFILE" "$CHAINFILE"
    chmod g+r "$KEYFILE" "$CERTFILE" "$FULLCHAINFILE" "$CHAINFILE"
}
If you have no hook script yet, copy it from /usr/share/doc/dehydrated/examples/hook.sh to a location not in conf.d (/etc/dehydrated/hook.sh is fine), and put HOOK=/etc/dehydrated/hook.sh into a config file.
Do the actual per-daemon configuration; for example Apache:
SSLCertificateFile /var/lib/dehydrated/certs/example.org/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/example.org/privkey.pem

SSLEngine on
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off
SSLOptions +StrictRequire
Reload the daemon, test!
DANE/TLSA is important. Less so for https where the CA mafia managed to keep it down, thus we need to put up with some “solutions” that are outright harmful, like HSTS. More for SMTP where it actually sees some deployment and support in server software. Obviously, this provides less security if you don't use DNSSEC, but is still better than using only CAs.

Calculate the digest:

# openssl x509 -in cert.pem -noout -pubkey|openssl pkey -pubin -outform DER|openssl dgst -sha256|cut -d' ' -f2
Put the calculated digest as a TLSA 3 1 1 entry in your DNS zone:
_443._tcp	IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2
Same for SMTP, IMAP and what else:
_25._tcp	IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2
_993._tcp	IN TLSA 3 1 1 0a98762f9299ac2963cdf3977a70a617a3f8d3a8cdaf1f0c3ab82ff82cbe71a2
While we're here, also say other CAs are not authorized to issue certs for you:
@	IN CAA 0 issue "letsencrypt.org"
The certs are valid only for 90 days, you need to make a cronjob to renew them:
# crontab -e
@daily	/usr/bin/dehydrated -c >/dev/null
(It will do nothing if the cert isn't close to expiration.)