Hi @KaiForce,
The requests do not have to originate from an IP address that matches a subject name. However, with two of the three available validation methods, the requests do have to be confirmed by receiving an inbound connection on such an IP address.
That means that the client software requesting the certificate has to somehow be able to cause the correct information to be returned in response to this inbound connection, which is normally done by running the client on a server that does respond for those IP addresses, but does not inherently have to be done that way. There is a particular method involving HTTP redirections that’s pretty effective when you want to get one machine to get certificates on behalf of other machines, assuming that they can all receive inbound connections but don’t have the same IP address. However, that might not be the case for your particular situation.
If you can’t receive inbound connections from the public Internet, the easiest method might be DNS-01 authentication, where you prove your control of the domain name by making a requested change to the DNS zone. Can you update your DNS zone? Different clients can trigger this by running a script or using a DNS provider API.