Install the certbot package.
certbot certonly --apache -m postmaster@technomancer.com --agree-tos -d hostname.technomancer.com
Make sure to add a CAA record for the domain to the relevant DNS zone:
technomancer.com. IN CAA 128 issue "letsencrypt.org"
CAA records inform CAs which are allowed to issue certs for the named domain. It won’t stop a bad actor outright, but will stop someone from using a legitimate CA that checks CAA records from issuing domains on my behalf.