So here is a non root, confined setup for certbot, the official Let’s Encrypt client.
Although this was done on Arch Linux, this is probably generic enough to work on any systemd enabled distribution.
Update 2016-08-10: I have improved this post to avoid using a path unit to trigger service restart upon certificate update. Apart from the fact that the configuration now involves fewer units, this also solves a minor issue. The previous setup could have been turned into a potential denial of service against systemd and the services using the certificates.
certbot is available in the official repositories:
# Register with the specified e-mail address
email = email@example.com
# Generate certificates for the specified domains. Required the first time you
# run certbot.
# Not necessary for renewal requests and thus must be commented out then.
domains = example.com, stuff.example.com
# Use a text interface instead of ncurses
text = True
# Run without ever asking for user input
non-interactive = True
# Enables OCSP Stapling
staple-ocsp = True
# Use the webroot authenticator
authenticator = webroot
webroot-path = /var/lib/letsencrypt
# Touch a specific file each time we get a new certificate
# (see certbot-renewed.service)
renew-hook = date --iso=min > renewed
Use the following systemd units to regularly check for certificates renewal:
Description=Weekly check for Let's Encrypt's certificates renewal
# The official documentation suggests running certbot two times per day but I
# find once a week to be reasonable.
OnCalendar=Sun *-*-* 04:00:00
# Use this line instead of you prefer running the check daily.
# OnCalendar=*-*-* 04:00:00