To generate a LetsEncrypt certificate you should ensure one of the following three preconditions:

1) Your server, for whose domain name you want to get a certificate, is visible to the Internet and you are able to occupy port 80 for the verification phase (i.e. no Apache, Nginx or other server software needs to be permanently run on these ports, so LetsEncrypt can start a temporary verification server). Remember, the domain you request a certificate for, will have to refer back to the machine of certbot.

2) You have an access to DNS and are able to add an entry, required by LetsEncrypt. For such circumstances you can even receive a certificate, that points to an internal, closed from outside world, domain. In the past you would have to use self-signed certificates for similar cases, unless you run your own verified certification authority. Nowadays it is not just easily accomplished with this option, but also allows you to automate such certificates renewal via an API of your DNS provider.

3) Certbot is able to put a file into a web root directory and verify it, by calling it later from the Internet. A less likely and less convenient scenario, as it will in most cases require you to add exceptions to .htaccess to be able to call the file from outside, also if you have multiple production frontends, you would end-up messing with multiple .htaccess files and thinking how to synchronise the resulting generated verification files to all frontends. Therefore I do not recommend this method, but mention it for the sake of completeness.

So, the software you would need for the job is called certbot and it is available in Epel repository.

In case of CentOS 7, here are the steps you would perform to install a LetsEncrypt bot:

sudo yum install epel-release
sudo yum update && yum -y install certbot

Certificate generation for the method 1:

 certonly --standalone -d -d

Certificate generation for the method 2:

 certonly --standalone -d -d --manual --preferred-challenges dns

Here you will be guided on TXT DNS entries to add.

Make sure the DNS entry is added properly by issuing such command before you confirm to proceed:

host -t TXT

Do not forget to replace with your domain name in all the above examples.

That is it, your certificates have been successfully generated.