@m.e, certbot wants to save the key, certificate, and chain (among other things) into files underneath the directory /etc/letsencrypt. In order to do this, it needs to be run as root, normally with sudo. There are options for running certbot without root access, but you won’t get the automatic renewal features.
Normally you should run certbot on the web server, and it will save all of these things in files within /etc/letsencrypt. If you’re using Apache, it can also change your Apache configuration to configure it to use the new key, certificate, and chain.