How can we add Let's Encrypt SSL support to our mapped domains?

Searching through the forums, there is a lot of information here and there about incorporating Let's Encrypt SSL support. Some of these touch on server configuration, some of these touch on cPanel, but almost all of them are Pre-March 2018 – a time when LE has changed a lot and now offers wildcard support.

Can we have a formal, universal, up to date guide please on how to integrate Let's Encrypt with our Pro Sites? (If this already exists or is in progress can we get a link?)

Here is the scenario I need to cover, but I think this would be the case for all of us who are running a multisite with Pro Sites and WPMU Domain Mapping.

— A user signs up for a site and gets a sub domain site to start building: clientsite.examplenetwork.com. At this point, LE supports wildcards so here we should have SSL support immediately after sign up, automatically

(Question #1 is, how do we set this up?).

— client then finishes building site. Client has option to use Pro Sites and Domain Mapping to map their own TLD when ready – http://www.clientsite.com.

(Question #2: What steps can client take to make sure mapped domain is covered by SSL?)

Things really start to get confusing for me there in Step 2. I don't want to have to go into the server each time I setup a client site and manually add a vhost as this is counter productive to allowing the client to do this themselves when ready.

Is this possible? If so how would we configure this? If this is not possible, and I have to go in and create a vhost file, then what would those steps be?

A lot of information in the earlier threads discuss cPanel. But many of us like myself are not using cPanel, but using certbot via the command line, so it would be great if a guide / solution covered both.

Thanks!

References:

https://premium.wpmudev.org/forums/topic/mapped-domains-on-multisite-ssl-lets-encrypt

https://premium.wpmudev.org/forums/topic/worked-for-me-lets-encrypt-ssl-on-multisite-domains-mapped-to-sub-domains-using-domain-mapping

https://community.letsencrypt.org/t/wordpress-multisite-possible-to-configure-letsencrypt-without-separate-apache-files/51916/3