IMO Letsencrypt is way too difficult to bother with for such scenarios: devices that are not open to the internet.
The hassle of forwarding the ports for their verification and having to do it so regularly (3 months) is a real pita.
I used to just pay for yearly certs for this reason but prices have gone up so now I'm back to using self signed. I'd love to set up my own PKI but the tool chain is so complex and many OSes like Android allow apps to opt out of user -added root certificates which makes it very hard to deal with.
Lets encrypt is staggeringly easy for devices that are not "open" to the internet - it supports or has plugins to manage ACME DNS challenge records fully automatically even for private IPs in your home network, and this is just one way to do it. Using letsencrypt to get valid SSL certs easily, automatically and for free for private IPs behind a NAT is something I love using it for!
You never need to expose a webserver to the public internet to use letsencrypt to get a valid SSL certificate, even if IP is in the private RFC range (192.168.x.x, 10.x.x.x, etc etc).
Every single webapp I run internally has a two line automated Caddy/letsencrypt auto configuration, that just works.
To suggest it is way too difficult suggests you haven't tried recently, or are familiar with very old http-based DNS authentication challenges. You do not need to use http-based challenges to use letsencrypt for a long time, although still supported.
It is now so absurdly easy to do, all my personal projects just have valid SSL by default now, even on my internal LAN. All letsencrypt needs is proof of domain ownership- thanks to DNS TXT records, no one needs to host a website/port forward to accomplish that.
But still those ACME records need to be updated every time on my outside DNS server right? Or is it just a static record? That I can do, a dynamic one is very hard with my DNS provider (meaning I still need to do everything manually every 3 months which is not an option).
I also don't really like leaking internal network info in my external DNS provider which is why I run my own internal DNSes. And I use a domain for my internal network which does not really exist in the real world, I don't know if letsencrypt can handle this.
I have indeed not tried it recently, the last time I tried it it was about 1 year since they launched. Trying to script all the firewall rules to open the ports for a second was a real PITA.
I'll have a look at this, thanks for the heads-up.
The pain point here is something like .home.arpa, which is nominally the recommended domain to use for home networks (not .local to avoid conflicts with mDNS IIRC).
There's still no good solution if you're using a domain that's not valid on the net. LE's lookup has to be able to reach the DNS server for the domain. I think it's something the industry as a whole has failed at - ensuring even LAN devices have good security without doing things like "your home network must have a publicly resolveable domain" or "run your own CA".
you could use the dns authentication, just set the ip to the local one this box for the domain you own/will be always use then all you have to be able to do is hit external dns and letsencrypt to update the cert.
afaik you can't because then there are no dns records to verify against. You could use a subdomain of a real tld if you had one though, or just bite the bullet and spend 10 bucks a year.
The hassle of forwarding the ports for their verification and having to do it so regularly (3 months) is a real pita.
I used to just pay for yearly certs for this reason but prices have gone up so now I'm back to using self signed. I'd love to set up my own PKI but the tool chain is so complex and many OSes like Android allow apps to opt out of user -added root certificates which makes it very hard to deal with.