On Sat, 30 May 2020 at 18:07, Andy Bennett <andyjpb@ashurst.eu.org> wrote:
You should be able to get a Lets Encrypt certificate for such devices, even
if they have private IP addresses, provided they have names in the Global

The DNS-01 protocol (rather than HTTP-01) will allow you to prove the
ownership of those names with DNS records.

Correct, but the CN on the cert doesn’t need to match a live record. Acme DNS-01 uses a challenge TXT record to auth ownership, e.g. _acme-challenge.example.com for an example.com cert.

I’ve provisioned loads of LE certs using DNS-01 before creating a DNS record matching the CN.