I assume you are interested in the Letsencrypt part. Basically, I'm running an Ansible script on my computer, which creates an account key, the server key and requests a certificate. The server key and the certificate are then distributed to the servers that need them, leaving the original account key only on my machine. The Letsencrypt verification happens via my DNS provider, which happens to have an Ansible module.
Here's the source code: [link redacted]