Strictly, address translation, particularly a fully symmetric translation, might mislead you here
For example, suppose I have a NAT device at the edge of my network which turns 220.127.116.11/25 into 10.4.8.0/25 and vice versa and internally all my servers believe they’re using this 10.4.8.0 network. As far as any random HTTPS client is concerned, including Let’s Encrypt’s boulder service, my servers have addresses like 18.104.22.168 but on the servers there’s no sign of that address, just 10.4.8.4
This is probably a relatively rare case, but today I think it works fine with the Let’s Encrypt client so long as you’re not serving different sites from different addresses on the same machine. I know it’s happening in the wild because in my day job we do this of translation on a much larger scale, though we don’t (yet?) use Let’s Encrypt.