Certbot semi-manual operation

I wouldn't store the certificates under the user's home directory (/home/djechelon/..../ssl/) for the reason that if the user removes the certificate files, Apache fails to start. I agree with your reasoning that it's better if Certbot doesn't mess with the web server configuration, but currently it seems that you are effectually causing the same problem you are trying to avoid, and thus I'm trying to warn you.

There's no reason to use the home directory for HTTP-01 challenges nor log files, and it's also possible to use a static configuration with Apache, using the Certbot in the certonly mode as you already do.

My solution for automatic renewals is using the same working directory for all the HTTP-01 challenges (from /etc/letsencrypt/renewal/example.com.conf):

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
account = 0123456789abcdef0123456789abcdef
rsa_key_size = 4096
[[webroot_map]]
example.com = /var/www/letsencrypt
www.example.com = /var/www/letsencrypt

This way it's possible to add a global Alias that handles all the challenges, but it's also possible to put it only to the virtual hosts where it's required:

<IfModule alias_module>
    Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
</IfModule>