Just to keep things "simple" (and to avoid installing dehydrated) I started using Letsencrypt manually:
openssl genrsa -out domain.tld.key 2048
openssl req -new -key domain.tld.key -out domain.tld.csr
Visit
www.sslforfree.com, follow manual verification steps, copy paste the CSR generated above,
then install private key domain.tld.key and downloaded public key domain.tld.crt and ca_bundle.crt
config setprop modSSL crt /home/e-smith/ssl.crt/domain.tld.crt
config setprop modSSL key /home/e-smith/ssl.key/domain.tld.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/ca_bundle.crt
signal-event console-save
signal-event email-update
Repeat every 3 months. Don't forget to create account for 1 week/day renewal reminder.