cPanel comes with an extension called "AutoSSL" that helps to ensure that your site(s) always has a valid SSL certificate. Due to this, the only tasks that you need to perform are enabling the Let's Encrypt AutoSSL script and configuring the front-end with your settings.
The following assumes that you have root access to the machine that cPanel is running on (if this is not the case, a ticket can be created to request this feature). Log into your shell either as root or sudo the following command:
From here you can now open cPanel Home > SSL/TLS > Manage AutoSSL. There will be a new box for the Let's Encrypt service which you should select, as well as enabling "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." Due to Let's Encrypt renewal feature, this will let cPanel automatically retrieve new replacement certificates as they become available. More information on how AutoSSL works overall can be found here.