certbot certonly \
--dry-run \
-d www.example.net \
-m yourname@example.net \
--preferred-challenges dns-01  \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual \
--manual-auth-hook /home/user/work/letsencrypt/dns01-auth.sh \
--manual-cleanup-hook /home/user/work/letsencrypt/dns01-clean.sh \
--post-hook /home/user/work/letsencrypt/post-hook.sh \
--work-dir /home/user/work/letsencrypt/work \
--logs-dir /home/user/work/letsencrypt/logs \
--config-dir /home/user/work/letsencrypt/conf

• When you run certbot in non-root user, you have to specify --work-dir, --logs-dir, and --config-dir options. These directories have to be writable with your user.
• You can only publish new certificate file via certbot. Your new certificate file will pushed under config-dir directory. Afterward, you can deploy it with your deploy tool which you like.
• The dns-01 challenge authentication only needs DNS validation and don't need to access via 80/tcp nor web server installation on your server. When you use dns-01 challenge, you can use your script to update your dns resource to --manual-auth-hook (for authentication) and --manual-cleanup-hook (for cleanup entry).
  CERTBOT_DOMAIN varaible is used to show domain name which you want to use. CERTBOT_VALIDATION vaibale is used to show validation code.

sample script which create validtion entry for aws route53

sample script which delete validtion entry for aws route53

certbot renew \
--dry-run \
--post-hook /home/user/work/letsencrypt/post-hook.sh \
--work-dir /home/user/work/letsencrypt/work \
--logs-dir /home/user/work/letsencrypt/logs \
--config-dir /home/user/work/letsencrypt/conf

• Once you get your new certificate, you have to update your certificate periodically.