Just like Fefe, I found the
default software for that to be somewhat cumbersome, a huge dependency
bloat with Python
virtualenv (which I'm not very familiar with),
and then I got into a huge fight with package versions, messed
everything up and after I had figured it out, my webserver software
was too old to be supported (Debian, yo). So this took an evening.
In the end, I ended up using acme-tiny instead; this leaves more of the key generation to yourself, but on the upside makes very little risky assumptions about your web server software. In the end you want to configure that yourself anyway. The readme file on Github has a pretty good step-by-step introduction.
While I was at it, I also updated my SSL configuration. SSLLabs are now giving worse grades on your configuration if you're using well-known Diffie Hellman moduli. These can be generated with
openssl dhparam -o dhparams.pem 4096
or whatever order of magnitude you want for your modulus. The
pem files can be concatenated and go into your
webserver's TLS (SSL) configuration section.