[MegaThorx]

I'm currently using the DNS challenge of Lets Encrypt for something similar. My setup is a VM running docker with multiple sites. I just setup a DNS record (it only points to the IP of the VM which is a private (eg 192.168...) one) and setup traefik as the reverse proxy with the DNS challenge. Works really well except that my router blocked the DNS record at first.

[shrikant]

The machine that's running this has no Internet connectivity though (which is a big reason why it's running that stack in the first place!), so I'm not sure if that approach would work?

It's a workplace server as well, so I don't really have the freedom to punch holes for outside access.

[captn3m0]

You can issue a certificate for it just via DNS challenge on another system, and then get the keys+cert to the actual system.

The crucial question is: do you control your users's DNS?

I had a setup like this in college, and wrote this: https://blog.sdslabs.co/2014/07/sdslabs-domain-working