Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
I have not ran a command yet.
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
Windows Server 2016
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I have a split DNS environment (internal server DNS name is different than the external DNS name). If I install the client and generate a certificate i am assuming it will pull the FQDN (internal DNS name) which will not match the public facing name. Do I need 2 separate certificates or can I specify the name on the certificate to be the external name? I want the external DNS name to be on the certificate so that the applications we are hosting will resolve properly.
Your assumption is incorrect: the ACME client doesn't validate the FQDN, the (remote) Let's Encrypt validation server does. So it'll try to connect to the IP address resolved from the public, external DNS (http-01 or tls-alpn-01 challenges) or use the authorative DNS servers for validation (dns-01 challenge).
I presume the reason being that you are using the exact same set of FQDNs and simply want to return a different set of IPs from each zone.
[external IPs from external zone - internal IPs from internal zone]
That said, since you plan on requesting a wildcard cert, you will have to ensure the ACME client can update the actual DNS zone for the real Internet domain - OR process the request manually (NOT recommended).
So the first hurdle is using a DNS Service Provider (DSP) that supports zone updates via API.
The second hurdle is using an ACME client that has a plugin for that DSP.
Feel free to ask questions and/or for advice along the way.