1. certbot -d <domain> --manual --preferred-challenges dns certonly

2. add TXT record

3. check with `dig <my-domain>` TXT

4. wait. once you see the record, continue.