When using any ACME client to create certificates the key thing the process must do is to ensure that the Domain - example.com - really is owned by the user creating the certificate - or the entire exercise is pointless.
ACME supports various mechanisms to achieve this but the two main ones are the HTTP-01 and DNS-01 challenge. See https://letsencrypt.org/docs/challenge-types/ for more details.
The HTTP-01 challenge is the easiest to set up but requires that port 80 is open on your web server and it does not allow the generation of wildcard certificates. Keeping port 80 open on a simple web server is (usually) fine but less good an idea on a mail server or other complex system, as it increases the hacking risk.
The DNS-01 challenge solves both these problems as the authentication is done against a real world DNS server and so the mail server etc. can be safely walled off from the Internet. It is, however, more complex to set up.
The logical assumption here is that if you - the user - control the real world DNS entries for your Domain, then the Domain must be ';yours' and so it is safe to issue certificates.
The basic operation requires a text record to be written to the DNS by the client and then this can be read by the CA (Let'sEncrypt in this case). Inside the client these functions are thus essential:
Add-DnsTxt
Remove-DnsTxt
Save-DnsTxt
The HTTP-01 challenge which write a file to the web server for authentication uses the similar:
Add-HttpChallenge
Remove-HttpChallenge
Save-HttpChallenge