Recently, I've been looking for a way to get clients on my local network to have local certificates validated by a trusted CA so that I don't have to install my own self signed CA root into each device. In addition to that, I want to make use of my local services on IoT devices as well as TV's that I cannot (or rather, not easily) access the cert store for these devices.
I have used Let's Encrypt many times in the past to get my personal websites hosted on AWS and other cloud platforms up and running. It's always been such a breeze! To be able to verify that I own the server, and have a mechanism to have a trusted CA like Let's Encrypt sign my cert so that everyone can access my content via HTTPS makes me feel so happy! And I'm so glad that all content between the client and the website can be secured with SSL, in a trusted way (obviously for myself, I know that the cert is correct, but everyone else accessing my site would not know that). The mechanism that Let's Encrypt provides to allow you to verify that you own the server where the code is coming from, without going through these big commemorates and allow me as a solo developer and independent hobbyist to give all my users peace of mind of the HTTPS connection to my sites, is anything short of a god send!
Thank you Let's Encrypt team!
Thank you for building this platform, where we encourage all sites to use SSL, ensuring that data cannot be tampered with between client and server.
Recently, as I mentioned, I was looking at getting certificates for my local domain. I've moved all my services that I use to run on the cloud to a locally hosted raspberry pi, because of cost reasons. Also, there is a lot more flexibility in having my own server, right next to me. But, the problem is that I don't want to expose these onto the public web. I have a WireGuard VPN setup so that if I'm not at home, I can still connect to my local network without exposing anything to the public internet. But, in doing this, I was no longer able to get let's encrypt to validate my certificate requests, because the server is not publicly accessible.
Fast forward a few days, and I find this post:
So, my first thanks to an individual is to georgev93 for posting this question.
I hadn't known that Let's Encrypt had evolved in such a way that it now allowed for DNS-01 Challenges to be an acceptable way to verify your domain. This is just what I needed! Because I still own my public domains, but they are mostly used for email, and the services are no longer deployed onto those domains.
After reading through all of that, I then saw, OK, cool, so as aarongable mentions, you can basically setup a redirect locally, to send your traffic that would go to your public domain (internally) to be routed to your internal servers.
This was perfect! Because I already have local DNS entries setup on my pi-hole because I wanted all my devices to be able to access the different services without needing to remember the IP of which server the service is on.
So, after doing the DNS challenge, I was able to add a new local DNS entries on my pi-hole that routed this public route (e.g. my-cool.service.local.mypublicdomain.com) to one of my local servers. And then, because I've generated the certificate for this domain my-cool.service.local.mypublicdomain.com and used that on my server as the certificate for the HTTPS request, it all just worked. Now, all my devices without knowing my local self signed CA cert, could access my services without the need to install a root CA, because it's already been signed by the Let's Encrypt CA.
Absolutely beautiful! And a HUGE thanks tot the Let's Encrypt team for making DNS-01 challenges a possibility to verify your domain and get a certificate for that domain. It's really amazing, because I can reset easy that the cert is going to remain valid for the lifetime that I own the domain and the login details to the DNS provider hosting my domain entries remain secure and with me. There is no chance of anyone else messing with my domain to generate a certificate as if they were me! It's amazing!!! 
A big thank you to georgev93 and aarongable for the contribution to the forum in this regard
That's only the first part of the story though.
Now, doing the DNS-01 challenge, I was using certbot. And I was doing a --manual flag on certbot. Which means that I had to get the TXT record from the terminal, go to my domain host, and update the DNS entry with this value. This is not ideal, because every 60 to 90 days, I would need to remember that I need to run these commands for each of my services and update the TXT for each service. Really not the best approach, considering that I'm not 90 years old, and will likely be using this for many, many, many years to come. So I wanted to find out how we could automate this process 
Fast forward to the next day, I find this article
Now, a big thanks to borsaid for posting this, basically with my exact question! Because, my domain host provider, unfortunately does not have any type API that allows me to interact with the DNS entries remotely or programmatically. This is where I started to doubt if I was even going to be able to do this automatically, and started thinking about my chores for the next 10, 20, 30 years and thinking, well, I guess I'll just have to add this to my list of chores, like doing the laundry. I'll just have to manually update the DNS entries for the rest of time. No no, this is where schoen (as I see is a former Let's Encrypt developer) comes in. A MASSIVE HUGE THANKS to you schoen! He explained a neat little "work-around" that you could do, if you had access to another DNS provider.
I must admit, it took me a little while to completely understand what was being proposed here, and exactly what it meant that I needed to do to get this to work. But thanks ChatGPT just helping me decipher what was being said, I was made make sense of the content, and, basically created the CNAME of my public domain with the sub domain prefix of _acme-challenge.; and away we went! I then found the best ACME tool for the job here, where they focused on providing a DNSAPI for you to use - namely this ACME tool: GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
Now, with the combination of the CNAME and the api provided with acme.sh I was able to generate my certificates without having to manually enter the TXT entries into my domain.
A final massive thank you to borsaid for asking exactly what was on my mind and to aarongable for the contribution to the forum in this regard and to schoen for providing the exact information that I was looking for
This has been quite an interesting couple of days throughout my journey on this, and I just really want to thank everyone who asked the questions that I had (now basically a few years later), and for those that provided the needed answers for me to do what I wanted to do! This is just simply amazing that we've come so far, in allowing independent developers and administrators to get certified SSL certs to use for their domains.
I truly believe that all this work done on the Let's Encrypt project is making the web a safe place, where all sites can easily get access to SSL certs for their domains. I know there are always going to be the "haters" and such, that say, well, if everything is able to be validated as "secure" by the browser, how do you know that you're not on a phishing site or something? And I mean, to that, I just say, when you go to a site, make sure you look at the URL. If the URL is incorrect, then you're at the wrong place. The "secure" website that browsers prompted for a long time, is not an indication that the site is your "legit" site that you are trying to visit. It never has been. But with the Let's Encrypt project, we as small, independent developers working on side projects and such, have the ability to ensure that all the communication with the client and our server is secured with an SSL connection.
And to that, again, I want to ***thank the Let's Encrypt team
*** for all the work that you've done on this project
It is truly amazing to be living in a world where I can secure my services behind HTTPS and have anyone access that with confidence that the connection is secured.
