I installed the win-acme client, and ran through the wizard to get the error
[dc1.internal.contoso.com] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for dc1.internal.contoso.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for dc1.internal.contoso.com - check that a DNS record exists for this domain","status":400,"instance":null}
[dc1.internal.contoso.com] Deactivating pending authorization
So I clearly need a way to validate my domain.
I presume I need to open a port to my server (port 80?) and then I presume I need a record (type?) on my domain company? What IP or address should this record point to?
I can use the current IP but obviously this will change in future.
My Firewall already has a DDNS contosofw.fortigate.ddns or similar.
The first problem you are having is the NXDOMAIN - this means Let's Encrypt tried to look up and IP for the name you gave it and it found no record at all. The second problem will be that you are probably trying to use HTTP validation which only works for public domains and only where the machine can respond publicly over TCP port 80.
For internal stuff I'd suggest using DNS validation if you can, that way you don't need to worry about firewall and public DNS entries, but it does still need to be a public domain you can edit DNS records for.
When you setup a certificate in any ACME tool you normally get the choice of using HTTP validation or DNS validation (and sometimes tls-alpn-01, which is a variation on http validation but over port 443).
Going with http validation means your server needs to present a specific answer when the CA asks for http://<yourdomain>/.well-known/acme-challenge/<challenge response file name>. The acme client usually helps with this part.
If you go with DNS validation you need to present a specific _acme-challenge TXT record in your DNS for each domain/subdomain you want. Most often ACME clients have some sort of integration with various DNS providers and if you're lucky they will support the DNS provider you use. The alternative is to use manual DNS (updating the TXT record yourself) but that means you don't get the benefit of automatic renewals. Manual DNS is often one of the easiest methods for testing though, especially for internal machines that need a cert.
Exactly - not a big fan of having to manually update the DNS records for renewal etc.
I do have a Firewall with ddns setup - so could I setup a record at my DNS provider like remote.contoso.com -> my.ddns.com ? And if so - what type of record would it be?
Then I can get a cert for remote.contoso.com using the win-acme - I assume I will also need a port open (TCP? Port?)
Yes, if you use the default http validation you need TCP port 80 open (and external TCP port 80 traffic has reach that machine) so the app can respond to the HTTP challenge for you,