For Debian 8 (Jessie):

apt remove certbot
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown -c root /usr/local/bin/certbot-auto
chmod -c 0755 /usr/local/bin/certbot-auto

Not sure if adding this is useful: certbot-auto --install-only

For Debian 9 (Stretch):

[ -f /etc/apt/sources.list.d/stretch-backports.list ] || cat <<'END' > /etc/apt/sources.list.d/stretch-backports.list
# https://backports.debian.org/Instructions/
deb http://deb.debian.org/debian stretch-backports main
END

apt update
apt install certbot python-certbot-apache -t stretch-backports

This will aslo create the /etc/letsencrypt/ and /var/lib/letsencrypt/ directories if needed

If a web server is running, but the certificate should be delivered for another IP/name on that host:

• configure Apache to only listen on specific IPs:ports (Listen IP:port in /etc/apache2/ports.conf)
• start a separate web server:

dir=/var/lib/letsencrypt/tmpwww
ip=a.b.c.d ## <-- IP to be used for validation
name=ftp.example.com
email=letsencrypt@example.com

mkdir -p "$dir"
cd "$dir"
python3 -m http.server --bind $ip 80 &
pid=$!

certbot-auto certonly --test-cert --webroot --webroot-path "$dir" -d $name -n --agree-tos -m $email

If needed, add firewall scripts to open/close ports:

--pre-hook  /etc/letsencrypt/renewal-hooks/pre/fw-certbot-open \
--post-hook /etc/letsencrypt/renewal-hooks/post/fw-certbot-close

After testing, to replace certificate with a real one:

certbot-auto renew --cert-name $name --force-renewal --server https://acme-v02.api.letsencrypt.org/directory

See also:

• Standalone configurator: Dealing with existing processes that are listening on some, but not all, interfaces · Issue #255 · certbot/certbot
• Bind on a specific interface · Issue #1515 · certbot/certbot ( https://github.com/certbot/certbot/issues/1515#issuecomment-193790398 )
• Add support for specifying source_address to ClientNetwork. by signop · Pull Request #5990 · certbot/certbot
• Ability to set source IP · Issue #3489 · certbot/certbot
• WIP commit of adding a --source-address flag. by signop · Pull Request #6007 · certbot/certbot

ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/cert.pem       /etc/ssl/
ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/fullchain.pem  /etc/ssl/
ln -sri /etc/letsencrypt/live/HOST.EXAMPLE.COM/privkey.pem    /etc/ssl/private/

# postconf -n | grep 'smtpd_tls_.*_file'

smtpd_tls_key_file  = /etc/ssl/private/privkey.pem
smtpd_tls_cert_file = /etc/ssl/fullchain.pem

# grep '^\s*TLSRSACertificate' /etc/proftpd/*.conf
# for example in tls.conf :

TLSRSACertificateFile		/etc/ssl/fullchain.pem
TLSRSACertificateKeyFile	/etc/ssl/private/privkey.pem

# Is this also needed?
TLSCACertificateFile		/etc/ssl/fullchain.pem

  # doveconf -nPS | grep '^\s*ssl_'
  # or to find the file (eg. /etc/dovecot/conf.d/10-ssl.conf)
  # grep -r '^\s*ssl_' /etc/dovecot

ssl_cert=</etc/ssl/fullchain.pem
ssl_key=</etc/ssl/private/privkey.pem

Postgresql needs to be able to read these files as user "postgres". So they must be copied into it's config. dir. and chown'ed. Best done with a deploy-hook in /etc/letsencrypt/renewal-hooks/deploy/ :

10-certbot-postgresql

#!/bin/bash
 
## Postgresql needs to be able to read these files as user "postgres".
## So they must be copied into it's config. dir. and chown'ed.
 
verbose=1
 
if (( verbose )); then
	echo "Running $0"
	v_cp="-v"
	v_cw="-c"
fi
 
cp $v_cp /etc/letsencrypt/live/m1.almanet.ch/{fullchain,privkey}.pem /etc/postgresql/9.6/main/
chown $v_cw postgres:postgres /etc/postgresql/9.6/main/*.pem
 
# Reload is not enough! Restart is needed.
# Will not be needed from version 10
 
systemctl restart postgresql

# psql -U postgres -c "SELECT name, setting, sourcefile, sourceline FROM pg_settings WHERE name LIKE 'ssl_%_file'"
# or in the file postgresql.conf:
# grep '^\s*ssl_.*_file' /etc/postgresql/9.6/main/postgresql.conf 

ssl_cert_file = '/etc/postgresql/9.6/main/fullchain.pem'  # (change requires restart)
ssl_key_file  = '/etc/postgresql/9.6/main/privkey.pem'    # (change requires restart)

systemctl --all list-timers
 
systemctl stop    certbot.timer
systemctl disable certbot.timer
systemctl mask    certbot.timer
 
m=$(( RANDOM % 60 )); h=$(( RANDOM % 24 )); d=$(( RANDOM % 7 ))
echo "## Let's Encrypt SSL certificate renewal with certbot" | tee -a /etc/crontab
echo "$m $h * * $d root /usr/bin/certbot -q renew"           | tee -a /etc/crontab
# or
echo "$m $h * * $d root certbot-auto -q renew"               | tee -a /etc/crontab
 
# dom=$(( 1+ RANDOM % 31 )) mon=$(( 1+ RANDOM % 12 ))