We are going to be moving our intranet (internal) website and it is only available for employees, but will be put in our DMZ next to our public website. I was just going to add the intranet domain to the certificate (which is a subdomain off our main domain) which will work fine, but since it will only be available to folks with a login how can I get Let's Encrypt to do the whole .well-known file read thing?
The validation addresses are intentionally not available and may change at any time with no prior notice:
If you want to use the HTTP-01 challenge method for your intranet certificate, you should configure it not to require a login for /.well-known/acme-challenge specifically. Web servers can be configured to require a login by default for web content, but not for specific paths.
Alternatively, you can use the DNS-01 challenge method, which doesn't require Let's Encrypt to connect directly to your web server.