This is cribbed heavily from https://developer.epages.com/blog/tech-stories/managing-lets-encrypt-certificates-in-vault/ and tweaked to use rfc2136 instead of dnsimple and to run under nomad.

export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200
export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token)
docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest
certbot register --non-interactive --agree-tos -m webmaster@example.com
export ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
export ACCOUNT_ID=$(ls $ACCOUNT_PARENT_PATH)
vault kv put secret/lets-encrypt/account/extra_details "account_id=$ACCOUNT_ID"
for i in meta private_key regr; do
  vault kv put "secret/lets-encrypt/account/$i" "@$ACCOUNT_PARENT_PATH/$ACCOUNT_ID/$i.json"
done

export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200
export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token)
docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest
source /usr/local/bin/initialise.sh
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/creds.ini --dns-rfc2136-propagation-seconds 210 --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/00-update-vault.sh  -d www.benroberts.net

Waiting for verification...
Challenge failed for domain www.benroberts.net
dns-01 challenge for www.benroberts.net
Cleaning up challenges
Some challenges have failed.

One or more of the DNS servers are not up to date. Compare the SOA fields with:

# fish
for f in triumph tracey santo georgia ns6.gandi.net;
  printf "%-20s" $f ;
  dig +short SOA sihnon.net @$f ;
end

If one of them is behind, reload it. If ns6.gandi.net is behind, give it 60s to catch up, and if still lagging, reload one of the others arbitrarily to force a sync.