Sadly it is not always possible what with the large
range of devices
that use certs. Things that aren't "real hosts" like IPMI/BMC,
firewall and loadbalancer appliances for example, can restrict you
to a manual process.
You should be able to get a Lets Encrypt certificate for such devices, even
if they have private IP addresses, provided they have names in the Global
The DNS-01 protocol (rather than HTTP-01) will allow you to prove the
ownership of those names with DNS records.
Then it's "just" a question of working out how to upload those certificates
in a more-or-less automated way to the devices themselves...