The idea of certboot simple
1) On a certain URL (/.well-known) certbot stores the data (file)
2) then accesses the server LetsEncrypt
3) the Server polls the LetsEncrypt website hosting certbot with different addresses and thereby make sure that the server is who it claims to be.
4) LetsEncrypt gives a certificate/key from certbot'
How to make:
1) Use certbot mode webroot (not nginx)
2) In nginx prescribe ./well-known to indicate where certbot put the file which will check LetsEncrypt
3) nginx to indicate to take the certificate/key from where it lay certboot
Path to file to points 2) and 3) - should be specified in parameters certbot.
That is where she puts the files certbot - out takes and nginx
Certificate LetsEncrypt valid for 90 days, so you need to update it (of course, more than once every 3 months)
Certbot remembers your settings and update to do not have all the options with all the ways to ask.
And of course nginx must be accessible from the outside and it is for the Samum url "/.well-known"