There are a couple of things relevant here.
- Currently, Let’s Encrypt supports http-01 and tls-sni-01 verification. Both methods require access to either port 80 or 443 to the exact domain you’re trying to get a certificate for. Once you passed a challenge, I believe the authorization you get for your domain is valid for 10 months, i.e. you could get certificates for up to 13 months. As far as I know the client doesn’t yet make use of this, and requests a new challenge/authorization every time it runs.
- In the future (hopefully soon!), Let’s Encrypt will also support the dns-01 challenge. With this option, you don’t need to expose your service to the outside - it’s enough to change some DNS records. This is probably the easiest option for intranet sites where you need an external CA. This won’t work for domains like .local - Baseline Requirements force Let’s Encrypt to only issue certificates for ICANN domains (those found on the public suffix list).
- Probably even further in the future, Let’s Encrypt might implement proof of possession challenges. It has not been decided in which cases this will be necessary, it might be opt-in for domain owners, or only necessary for high-profile site. The way it works is that you need to sign something using a private key that’s been used for TLS on your domain before. But don’t worry about this yet until all the details are settled.