You can also get non-wildcard certificates for internal names if the internal names are under a publicly-registered domain name that you control. This can only be done using the DNS-01 verification method, which requires you to create
_acme-challenge DNS records (usually via a DNS provider API). With the DNS-01 method, Let’s Encrypt doesn’t have to connect directly to your server for verification. (This is also the only method permitted for issuance of wildcard certificates.)
Some people like wildcard certificates for this application because they don’t reveal exactly which internal names you have. So if you have an internal name based on a secret project (like
mysecretproject.domain.com), getting a Let’s Encrypt certificate for that specific name would reveal the existence of this project via the public Certificate Transparency logs, but getting a certificate for
*.domain.com instead would only reveal the existence of the wildcard certificate.