@PoolMUC Hmm. Indeed i have no webserver running, but also no opportunity to use Certbot as i am using an NTP appliance.
What’s the alternative?
If you don’t run a webserver, the certbot can do this for you.
But you need to open de ports.
Something like this:
certbot certonly --webroot -w /var/www -d www.example.com
I hope this is correct, as I run KeyHelp free hosting panel that does all this stuff for me 
Yet, I keep failing to understand why time should be encrypted 
You can run acme.sh on it. Addiotinal requirement is (IIRC) nc.
I’ve set it up already - can take a look and give you instructions how to. It’s been a while that i’ve done that
If none of the other hints helped, one thing you can also do is point your DNS temporarily to another IPv6 or even IPv4 address, belonging to a machine where you can run certbot or one of the other tools available. And switch back once you got the certificate. Obviously a bit tedious, but as you get more experience, you might eventually find better/more efficient ways, within the constraints of your environment/setup, to get a certificate.
Or you could use the DNS-based method, as suggested by @grifferz, because that can definitely be run in a place other than the actual NTP server. It might be a bit more effort to set up initially, e.g., because you need to find the proper plugin (hoping one exists for your DNS provider, because that one needs to support adding the kind of DNS records needed for the verification), and configure it with credentials etc. (which is why I typically use the built-in web server when possible).
But once you have figured out how to do that, and set things up, you could run certbot pretty much from anywhere you want, as long as certbot can communicate with Let’s encrypt as well as your DNS provider.