To obtain a DNS verified certificate for the websockert server:

certbot certonly -d w02.wrede.ca -d ws.wrede.ca --dns-rfc2136 --dns-rfc2136-credentials /usr/local/etc/letsencrypt/certbot_dns_rfc2136.ini --dns-rfc2136-propagation-seconds 10

and the rfc2136.ini file looks like:

# Target DNS server
dns_rfc2136_server = 192.168.196.248
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = tsig-key
# TSIG key secret
dns_rfc2136_secret = 1KsWP8ZkZxBDKS0RQ2n3bkz1xpVPtz3Tk1y3r/dF+4knwGBzscse8iewaEr/6jUtxaL1taGME6eqSDtV2SD8NQ==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512