Set up the following directory structure (look at the others there as an example):

$ sudo tree -a /var/www/well-known
/var/www/well-known
+-- example.com
    \-- .well-known -> .

For your regular HTTP site (non-SSL) add the following to your <VirtualHost/> block:

Include /etc/apache2/conf-available/well-known.conf

Now reload Apache for your configuration to take effect.

Finally run:

sudo certbot certonly --webroot -w /var/www/well-known/example.com -d example.com -d www.example.com

N.B. you can append many more sub-domains on there if you want to use use multiple domains in the same certificate, though you you will need to softlink /var/www/well-known/subdomain.example.com to /var/www/well-known/example.com

Now go back to your <VirtualHost/> block for your domain and make the opening look like:

<VirtualHost *:80 *:443>

Now slip into in the following lines into the block its-self:

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Finally, do one last reload and you should have a secure site (with your non-secure site redirecting to the secure one).