It's not overly intuitive.
1) I've been told that Virtualmin is very particular of the packages one has installed on the system and the way to install certbot involves adding a bunch of packages from a backport distro. Seems like there's opportunity for problems there.
2) Google can't show me any documentation for the Let's Encrypt tab of the SSL configuration page.
3) I had to create a virtualhost with the FQDN of the webmin install. Why can't the script just append port 10000 when testing? Why duplicate things into a virtualhost running on the production side of the house?
4) The meat of why I'm here. The certificate request process creates files owned by root:root that the virtualmin process apparently can't read because they're being flagged as 404s when I see those files when I do an
I haven't thought of a way out of #4 yet.