You can achieve this without exposing any service. Let's Encrypt allows you to prove ownership of a domain through DNS 01 hooks.
I personally use Duck DNS [1] for main internal domains, so I can have a certificate that most tools will recognize as valid. This saves me from adding my cert in every machine that will use that service.
I use dehydrated [2] to get a Let's Encrypt certificate using Duck DNS. There is a good article explaining that by Andreas Gohr [3].