The Let's Encrypt (LE) project

  https://letsencrypt.org
  https://en.wikipedia.org/wiki/Let%27s_Encrypt
  https://wasd.vsm.com.au/wasd_root/src/wucme/readmore.html

has simplified browser-trusted server certification for the SOHO cohort.

And wuCME for the WASD cohort.

Previously, wuCME exclusively used the HTTP-01 challenge to demonstrate
control of a host domain name.  This requires port 80 be open and configured
to answer that challenge.  Not a big issue at all.

However, WASD now provides a no-configuration alternative.  

TLS-ALPN-01, described by RFC8737.

As with much of the rest of wuCME this is based on core code from Nicola Di
Lieto, licensed and distributed under GPLv3.

WASD agent scripting, that is, a script undertaking some processing on behalf
of the server rather than an external client, was formalised with WASD v12.0.
In this context an independent process performs the calculations required for
TLS-ALPN-01 functionality.  With this approach to challenge response, a
partial TLS connection specifying an Application-Layer Protocol Negotiation
of "acme-tls/1" is recognised by WASD and the appropriate wuCME executable
activated to provide the challenge response to the server, completing the
transaction.  All performed using port 443.

Requires a minimum WASD v12.3.0 and wuCME v2.0.0.

In use for a number of months and processed dozens of certificate renewals.

References
~~~~~~~~~~
https://letsencrypt.org/docs/challenge-types/
https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation
https://datatracker.ietf.org/doc/html/rfc8737
https://github.com/ndilieto/uacme