I have not tested this recently so revise when completing again
letsencrypt certonly -d <website> --manual --manual-public-ip-logging-ok
Then follow the same steps as for renewing
The required apache config is below:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile <directory>/cert.pem SSLCertificateKeyFile <directory>/privkey.pem SSLCertificateChainFile <directory>/fullchain.pem
letsencrypt renew --manual --manual-public-ip-logging-ok
This will give you a printf to run on webserver, run that in the root of the webserver and it will create a file in ".well-known".
Confirm this is working by accessing with a browser.
Press enter on Remote and it will attempt to renew.
This will generate new certificate files in /etc/letsencrypt/live/, you will need
privkey.pem. Copy this to the webserver in the right locations and restart the webserver