These are the options for proving control of a name to Let’s Encrypt:
Just to be clear, the name itself does not have to be defined in the public DNS (if you use the DNS-01 method) as long as TXT records related to it can be created temporarily. And the certificate does not necessarily have to be created on the machine that’s eventually going to use it, if you have a way to transfer the files between machines.
I’m not sure I’ve understood your constraints well enough to offer more detailed advice, so feel free to try to explain further and we can think about it further.