I had a hard time finding documentation on using the digitalocean plugin. But using "the google" I managed to figure it out, but certbot 0.20 in Centos crashed. That said, I found the github for certbot 0.22 and it worked fine with digital ocean DNS. Building the binary in github was a little different that what I have been accustomed to in that it builds a virtual environment rather that code to deploy. However I can wait until the binary reaches the Centos package for a final solution.
The first step is to create a token for Digital Ocean. If you installed an email server, you probably already have a token since you can't upload the DKIM key without one due to the size of the field. The instructions are here.
https://www.digitalocean.com/community/tutorials/how-to-use-the-digitalocean-api-v2
Building certbot is documented here.
https://certbot.eff.org/docs/contributing.html#running-a-local-copy-of-the-client
I already had a certificate made by using the nginx plugin. Unfortunately I didn't realize that there was no way to whitelist the letsencrypt servers. I do heavy IP filtering. Thus the switch to DNS-01.
In the /etc/letsencrypt directory, made a digitalocean directory. I created a file called credentials.ini. That file has two lines:
cat credentials.ini
DigitalOcean API credentials used by Certbot
dns_digitalocean_token = 123456
where 123456 is your token. Technically you shouldn't leave your token on your VPS. More on this later.
The certbot command is:
certbot certonly --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/digitalocean/credentials.ini --dns-digitalocean-propagation-seconds 60 -d example.com -d www.example.com
Simple enough. It creates a CAA entry in the DNS and removes the certbot secret code from the DNS. Once certbot 0.22 is released, I will crontab it.
I don't see anyway to get around leaving your token on the droplet (VPS).