You have two modes. First is very simple but hard to maintain and sometimes results in stopped web server (apache/nginx/…) and never re-run again. Second is more difficult, but it is the one you want.

works like this: stop webserver, run certbot and listen on :80 to prove you're the owner of the website, start webserver. The trap is obvious. If you try to automatize it into a cron script it could hang on certbot thus never starts webserver again. Here is on-line command

 certbot certonly -d www.mydomain.cz --pre-hook="service nginx stop" --post-hook="service nginx start"

 certbot renew --pre-hook="service nginx stop" --post-hook="service nginx start"
 
 

1. You create some dir /var/www/I/like/it/here

2. Add to your website or many websites an exception
   Nginx  
   <code>
      location /.well-known {
      alias /var/www/I/like/it/here/.well-known;
    }
    </code>
    
    Apache2:
    <code>        
        alias "/.well-known" /var/www/letsencrypt/.well-known
    </code>

      
3. When you call certbot with webroot parameter
    certbot certonly --webroot  -d novyweb.starlab.cz
    here is the HTTP GET code what the remote server asks for:
       

GET /.well-known/acme-challenge/Rrc-EMcYmhRM7ETvn8Hs8TcAh9FgHiUAxfkoHEjX7Kc HTTP/1.1
Host: novyweb.starlab.cz
User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
Accept: */*
Accept-Encoding: gzip
Connection: close

 4. And renew is easy allways the same
    certbot renew --webroot -w /var/www/I/like/it/here
    
    

• https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8