The users could login using the server name, and their username / password, however I agree id they don’t know the servername, and only their domain name then you ideally need to use a certificate for their domain ( personally I give them instructions to use the servername to access their cpanel - but understand you are not doing it that way )
You could do a redirect on anotherdomain/cpanel to go to https ://fex2.servername.com:2083 which is probably the next easiest solution ( and would redirect them to the secure server login for their domain )
You can obtain a certificate with up to 100 SANs (alternate names) on it, and use that - if 100 domains is sufficient for your server ( so 50 domains with and without www. ) If the domains you host change over time though, this can become tricky to manage (which is why I don’t use that method)
You can add an SSL cert on for every domain on the server ( but the /cpanel will still I think get redirected to the sever name / cert )
You either need to install certbot ( the official client) or one of the alternate clients in order to obtain a certificate, yes.
the "sudo yum … " commands are shell commands, so you need to SSH into your server to get to the prompt for these commands.
One other option, cpanel are currently working on integrating LetsEncrypt into cpanel, which I understand is due for the next main release … so if waiting a couple of months isn’t too long there may be an easy option for you once they have officially integrated it.