Once certbot has run successfully, you will get two files: /etc/letsencrypt/live/xxx.yyy.zzz/fullchain.pem and /etc/letsencrypt/live/xxx.yyy.zzz/privkey.pem
In your frontend service, there are fields "[DEPRECATED] SSL Certificate" and "[DEPRECATED] SSL Key". Put the certificate ("fullchain.pem") content in the field "[DEPRECATED] SSL Certificate" and the key ("privkey.pem") content in "[DEPRECATED] SSL Key".
As long as you can reach your HTTPS website, you can set "HTTPS only" back to "true".