Install the latest certbot for your system.

Debian:
sudo apt-get install certbot

Windows:
Download and install the latest certbot application and run CMD or Powershell as administrator
https://certbot.eff.org/lets-encrypt/windows-other Broken 2022

https://certbot.eff.org/instructions?ws=other&os=windows New Link 2022

In your terminal or cmd window:

certbot -d mydomain.com,www.mydomain.com,othersub.mydomain.com --manual certonly

 Then follow the prompts and answer yes to IP logging.

By default certbot will validate the domain against an HTTP challenge.
The http challenge will ask you to place 'Keys' in a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the top-level directory (“web root”) containing the files served by your webserver, for the domain you're specifying.
You'll know what file name and key content is required from the terminal/cmd prompts.

If you want to use the DNS challenge, simply specify in the certbot command:

certbot -d mydomain.com,www.mydomain.com,othersub.mydomain.com --manual --preferred-challenges dns certonly

 If you want to use a CSR generated by your server, specify this instead of domain in the commandr:

certbot --csr my_csr.csr --manual --preferred-challenges dns certonly

 More information can be found here
https://certbot.eff.org/docs/using.html#manual