[tannhaeuser]

Don't know where you get that idea from. The reference implementation for letsencrypt has always been (a Python-based collection of scripts with auto-config, auto-update etc) for Apache httpd. A native Apache module for ACME has been proposed for some time now, and is great because the reference implementation is quite a bit too rich to run as root (and is Python 2 only I believe).

[LukeShu]

certbot, the reference ACME implementation, should work with Python 2 and 3 (it definitely works with 3; I haven't verified 2 with recent versions), and it does not require root (though the default configuration will want it).

[djsumdog]

IIRC, the last time I set it up, I stuck HAProxy in front so I could still send ACME requests to certbot, but didn't have to have it running as root. If you put its user in the HAProxy group, it can write the certs as 640. If you want to be really secure, you create SELinux or Apparmor policies as well.

[stephenr]

I use a HAProxy + Certbot too (with a certbot "hook" script that builds the .pem for HAproxy AND downloads the OCSP staples from LE).

As a bonus, you can have zero downtime renewals and use the TLS-SNI challenge, rather than relying on the "it's probably safe but it still feels wrong" http challenge.