first, let me state that I’m totally aware that Let’s Encrypt will not issue a certificate for “whatever.local”, and why it won’t do that.
But would the following scenario work to provide such a device that is only reachable in a private, local network and which uses mdns/avahi/zeroconf to announce its name in the “.local.” domain with a valid HTTPS certificate?
- set up a (public) DNS CNAME entry for “mydevice.mydomain.net” that points to “mydevice.local”
- obtain a certificate for “mydevice.mydomain.net” and install it on the device
- connect from a client in the same network as the device to “https://mydevice.mydomain.net”
If I’m not mistaken, the last step should (at least on a reasonably modern client) resolve “mydevice.mydomain.net” to “mydevice.local” (i.e. get the CNAME from public DNS), then resolve “mydevice.local” to whatever IP the device has at the moment (via mDNS), and finally connect to the device and see the expected certificate for “mydevice.mydomain.net”.