To issue and renew let's encrypt the SSL certificate using DNS (DNS-01) challenge is a good way for servers behind firewalls and servers that cannot connect to the internet.
To achieve this way, please follow the instruction from the link
More useful certbot commands
> certbot certificates
> certbot delete --cert-name [CERT_NAME]
Renew 1 certificate
> certbot renew --cert-name [CERT_NAME] --dry-run