Here are the steps (I assume you have EPEL installed). This article was inspired by https://omg.dje.li/2017/04/using-lets-encrypt-ssl-certificates-with-spacewalk/
export FQDN=$(hostname -s).<domain.com> # add your server. server.domain.com must be accessible from outside
EMAIL=spacewalk@example.com # replace with your e-mail. It is used for let's encrypt registration
yum install certbot?
certbot certonly -n --webroot -w /var/www/html -d $FQDN --agree-tos --email $EMAIL
cat << EOF > /usr/local/bin/certbot-renew.sh
#!/bin/bash
LE_LIVE="/etc/letsencrypt/live"
FQDN=$FQDN
/sbin/spacewalk-service stop >/dev/null 2>&1
cat \${LE_LIVE}/\${FQDN}/cert.pem >> \${LE_LIVE}/\${FQDN}/fullchain.pem
/sbin/spacewalk-service start >/dev/null 2>&1
EOF
chmod a+x /usr/local/bin/certbot-renew.sh
echo RENEW_HOOK="--renew-hook '/usr/local/bin/certbot-renew.sh'" >> /etc/sysconfig/certbot
systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer
cat << EOF > /root/ca-chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt >> /root/ca-chain.pem
openssl verify -CAfile /root/ca-chain.pem /etc/letsencrypt/live/${FQDN}/fullchain.pem | grep -c "fullchain.pem: OK" # this test should return 1
tar -cvf SSLconfig.tar /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub
mv /root/ssl-build/$(hostname -s) /root/ssl-build/$(hostname -s)-`date -I`
mkdir -p /root/ssl-build/$(hostname -s)/
cd /root/ssl-build/$(hostname -s)
ln -s /etc/letsencrypt/live/${FQDN}/fullchain.pem server.crt
ln -s /etc/letsencrypt/live/${FQDN}/privkey.pem server.key
cp ../$(hostname -s)-`date -I`/server.csr
cp /root/ca-chain.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/${HOST}/server.crt | grep -c "server.crt: OK" # this test should return 1
rhn-ssl-dbstore -v --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build
rpm -Uvh /root/ssl-build/$(hostname -s)/rhn-org-httpd-ssl-key-pair-$(hostname -s)-*.noarch.rpm
rhn-ssl-tool --gen-ca --dir=/root/ssl-build --rpm-only
rpm -Uvh /root/ssl-build/rhn-org-trusted-ssl-cert-*.noarch.rpm
\cp /root/ssl-build/rhn-org-trusted-ssl-cert-*.noarch.rpm /var/www/html/pub
\cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub
mv /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server.key.self-signed
mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.self-signed
ln -s /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/httpd/conf/ssl.key/server.key
ln -s /etc/letsencrypt/live/$(hostname)/fullchain.pem /etc/httpd/conf/ssl.crt/server.crt
mv /etc/pki/spacewalk/jabberd/server.pem /etc/pki/spacewalk/jabberd/server.pem.self-signed
ln -s /etc/letsencrypt/live/$(hostname)/fullchain.pem /etc/pki/spacewalk/jabberd/server.pem
spacewalk-service restart
systemctl restart osad # optional if osad is used
#On client, run
yum --noplugins -y localinstall http://<spacewalk.example.com>/pub/rhn-org-trusted-ssl-cert-1.0-<rev>.noarch.rpm #replace servername and revision from above