However, as far as I understood, there is an API that will just hand out the certificate.
I guess they don't want it to be accessed by a web browser because they want us to regenerate and include a newer cert automatically.
So you have a somewhat higher setup cost (setup automatic cert update rather than one-time download of your cert), but then you can't forget to update your cert over the years.
I believe they also want this is be a fast desaster recovery. So if their main intermediate certficate is compromised, they can revoke it and hand out new certificates (using the backup intermediate cert) for all domains within a very short amount of time.
Nevertheless, I would have preferred a good explaination about how to setup this process manually, rather then depending solely on their tool.
(In case this process it too cumbersome without their tool, they should simplify it rather than hiding this in their tool.)
Yes, there are now several options to manually attain the certificate.
There is a "manual" mode, "Here is the file that you need to post, press Enter when you are ready to continue"
There is a "standalone" option. If you don't have a webserver running, it will bind to port 443 and solve the challenge for you.
There is also a "Webroot" option. Enter in your server's webroot and it will automatically post a file to .well-known and delete the file after validation.
I'd like a manual mode, as years of sysadmin work have made me extremely skeptical of tools that try to automatically modify config files.