You should be able to get a Lets Encrypt certificate for such devices, even
if they have private IP addresses, provided they have names in the Global
The DNS-01 protocol (rather than HTTP-01) will allow you to prove the
ownership of those names with DNS records.
Correct, but the CN on the cert doesn’t need to match a live record. Acme DNS-01 uses a challenge TXT record to auth ownership, e.g. _acme-challenge.example.com
for an example.com
I’ve provisioned loads of LE certs using DNS-01 before creating a DNS record matching the CN.