Let's encrypt has to validate that you own the domain. That is possible by a variety of plugins.
- Apache and Nginx are no option, because they also want to configure the service.
- Standalone was not working, because the script complained that apache is already using port 443.
- Manual was also not working, but I don't remember the error message.
- Webroot was working and the script will create the directories .well-known/acme-challenge
After the creation of the certificate no files were inside of the directories. I don't know if the script will create some during execution and will delete them afterwards.