Certificate issuance for internal DNS names is something CAs aren’t allowed to do. Additionally, in order to obtain a SSL certificate from Let’s Encrypt, your domain needs to either:
- Be available from the public internet on port 80 (http-01) or 443 (tls-sni-01)
- Have a TXT record with a specific token in place (dns-01; not yet available with the official client)
This is necessary in order to show proof of domain ownership.