To obtain a DNS verified certificate for the websockert server:

certbot certonly -d w02.wrede.ca -d ws.wrede.ca --dns-rfc2136 --dns-rfc2136-credentials /usr/local/etc/letsencrypt/certbot_dns_rfc2136.ini --dns-rfc2136-propagation-seconds 10

and the rfc2136.ini file looks like:

Target DNS server

dns_rfc2136_server = 192.168.196.248

Target DNS port

dns_rfc2136_port = 53

TSIG key name

dns_rfc2136_name = tsig-key

TSIG key secret

dns_rfc2136_secret = 1KsWP8ZkZxBDKS0RQ2n3bkz1xpVPtz3Tk1y3r/dF+4knwGBzscse8iewaEr/6jUtxaL1taGME6eqSDtV2SD8NQ==

TSIG key algorithm

dns_rfc2136_algorithm = HMAC-SHA512