So I struggled for far too long trying to get a Let's Encrypt AutoSSL certs setup on my CWP server, and finally figured it out.
For the hostname cert, when performing the Change Hostname function in Server Settings, I was getting the error:
AutoSSL: Issue Failed![Thu Sep 27 16:15:17 EDT 2018] Single domain='<host>.<domain>.<tld>'
[Thu Sep 27 16:15:17 EDT 2018] Getting domain auth token for each domain
[Thu Sep 27 16:15:17 EDT 2018] Getting webroot for domain='<host>.<domain>.<tld>'
[Thu Sep 27 16:15:17 EDT 2018] Getting new-authz for domain='<host>.<domain>.<tld>'
[Thu Sep 27 16:15:19 EDT 2018] The new-authz request is ok.
[Thu Sep 27 16:15:19 EDT 2018] Verifying:<host>.<domain>.<tld>
[Thu Sep 27 16:15:23 EDT 2018] <host>.<domain>.<tld>:Verify error:Fetching http://<host>.<domain>.<tld>/.well-known/acme-challenge/4TzVgHEbYhNIgT8YVSmEvVkp0RM5OyUfom1ZwJaAhXE: Connection refused
[Thu Sep 27 16:15:23 EDT 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log
The problem is that apparently Let's Encrypt requires both www.<domain>... and <domain>... to resolve to the server's IP; at least the way it's implemented in CWP imposes this requirement, I'm not sure.
If using your registrar's nameservers for your domain, and assuming your CWP server hostname is <host>.<domain>.<tld>, add a A record for www.<host>.<domain>.<tld> with your domain registrar, in addition to the <host>.<domain>.<tld> record you probably already created.
If using the CWP server for your domain's nameservers, login to CWP.admin, go to DNS Functions -> List DNS Zones, chose Edit Records for your domain, and change the CNAME record for www to a A record pointing to the IP of the CWP server.
Give it time to propagate, then login to CWP.admin and initiate a hostname change in Server Settings -> Change Hostname. You don't have to actually change the hostname, you can leave the field as-is assuming it has the desired/correct <host>.<domain>.<tld> and just click Change Hostname to re-create the SSL cert.
The same requirement would apply to issuing AutoSSL certs for add-on domains for the user account(s) on your CWP server, so make sure you add the www A records for all domains in use that require AutoSSL. When trying to issue the Auto SSL cert for an add-on domain without the appropriate record, you would get the following error in a little red popup:
DNS of your domain doesn't point to this server or you have htaccess restrictions
For reference, my server is a VPS running CentOS 7.5.1804 with CWP version: 0.9.8.740.