I am not sure whether hints to commercial products are okay in this forum. If not, please excuse.
At Secorvo we have a brand new product offering of an ACME enrollment gateway, branded “EaSy - certificates ready2go”, that acts as a proxy between internal ACME clients and external CAs like Let’s Encrypt - provided that the internal systems use only registered DNS names that externally point to the enrollment gateway in a split-DNS configuration.
Details can be found at https://www.secorvo.de/loesungen/easy-ready2go.html (albeit in German language only). Please e-mail me at firstname.lastname@example.org if you have any questions.
Using the enrollment gateway it becomes possible to enroll Let’s Encrypt certificates for appliances etc. that usually are never connected to the Internet. Therfore we are also looking into getting ACME clients to work on boxes that are not running one of the standard OS platforms.
Currently we have an acme.sh based prototype running that enrolls (and of course automatically renews) certificates directly from a VMware ESXi hypervisor.
Secorvo Security Consulting GmbH