Comment 5 for bug 1938961

I think that the self-signed is required before certbot has run for the first time, as haproxy won't start with an SSL configuration but missing certificate. HAProxy is 'in the datapath' for the first LE issuance so must be running before the first run of certbot.

Chicken/egg situation requires the self-signed cert to be available initially.