certbot certonly --apache -m firstname.lastname@example.org --agree-tos -d hostname.technomancer.com
Make sure to add a CAA record for the domain to the relevant DNS zone:
technomancer.com. IN CAA 128 issue "letsencrypt.org"
CAA records inform CAs which are allowed to issue certs for the named domain. It won’t stop a bad actor outright, but will stop someone from using a legitimate CA that checks CAA records from issuing domains on my behalf.