Certificate signing with certbot?

[da2x]

Prompt the user for a public hostname, lookup the hostname with an authoritative DNS provider like Google (8.8.8.8). Fully qualified domain name? Does an authorative DNS provider know about the domain? Great, then we can use Let’s Encrypt to get a properly signed certificate! Install and use certbot to obtain certificates from Let’s Encrypt, and use these certificates instead of self-signing or asking user to submit to a CA.

certbot needs port 80 once per week to function. A cronjob set to run weekly could run systemctl stop webpy.service && certbot renew ; systemctl start webpy.service to keep certbot happy and the certificates fresh.