Also note when reading this that the basic paradigm for most people is using Let's Encrypt certificates to secure connections to a publicly-visible service (that is accessible by other people on the Internet).
This is important because
(1) There might not be a benefit to using a Let's Encrypt certificate if you have a private/internal-only service.
(2) There might be an alternative to using a Let's Encrypt certificate (such as a self-signed certificate) if you have a private/internal-only service.
(3) The default behaviors of Certbot and other ACME clients may not work to obtain a certificate from Let's Encrypt if you don't have an existing HTTP site accessible on the public Internet. The most-used method for verifying that you are entitled to the certificate involves the Let's Encrypt CA connecting to your site to download challenge files from it, which isn't going to work automatically if your publicly-visible site doesn't exist or isn't hosted in the same place where you run Certbot.
You can get a Let's Encrypt certificate in other setups (like for a private or internal service), but it's likely to be more work and not necessarily be required for your use case.