so - if you want to get certificates for an imap only server, you will have to setup an webserver for the challenge. or deal with your dns server.
Having just setup up some LetsEncrypt certificates on a CentOS server:
Certbot automates the process - if you have a webserver running, it will use that; if you don't, it attaches a minimalistic web server to port 80 to respond to the LetsEncrypt challenges. It's very, very easy. (The challenges are purely to verify that you are the owner of the domain you are asking for certificates for.)
The certificates it generates can be used for IMAP and SMTP as well.
certbot will automatically renew the certificates 2 weeks (I think) before they expire - it does not need the web/dns challenges for renewal. There are hooks in the process to put the renewed certificates wherever you want, otherwise it puts them where your web server is expecting them.
P.