Use a DNS authenticator plugin to use the dns-01 challenge.
The apache authenticator (using --apache selects the apache plugin as authenticator as well as installer) can only do the http-01 challenge, logically. And of course that doesn't work with private IP addresses. Thus the only way is to use the dns-01 challenge.
Setting up certbot-dns-cloudflare shouldn't be too hard though. You can use my Gentoo overlay for the official Certbot DNS plugins so you can use emerge to simply install the plugin. It's added to the Gentoo list of overlays so you can simply use app-eselect/eselect-repository to add it. See the "Instructions" method in the overlay repository to find out more.