Now, technically this should work fine, and I do not believe that in itself this violates any of LE's policies but I'm aware that they are required to revoke any certificate they consider to be compromised. So my question really is: what specifically would LE consider and not consider "compromised"?
To make this work, the private key used to issue the certificate must be located on the router to be able to sign the HTTPS sessions. It is therefore not accessible by any other client on the LAN, and can also quite easily be protected from any other non-root user who might be able to access the router via SSH for example. I expect LE to consider this as an acceptable situation, since it's essentially how any normal web server that LE has issued millions of certificates to operates.
The question however is, would LE still consider the PK secure in a situation where the router is physically accessible, but the PK is for example located on an encrypted partition?
I'm not a lawyer or something, but as long as the private key is safe from other users and it's physically also not possible to retrieve the private key (e.g., stick a console cable into the router without a login), I'd say the only thing you'd need to worry about is if either your router is hacked or physically stolen. Although the latter might not be that relevant if it's not possible to access the router without a factory reset (which should delete the private key).
If the people on your LAN are trusted users, allowing them access to the key would not be considered "compromised".
If you were selling this LAN device and bundled in the LE Cert, or it was a cloud service, and unrelated users were able to access the key(s), it would be considered "compromised".
There is a lot of room for different scenarios and interpretation between these two concepts - but most concerns about this fall within these two concepts.
Even if not encrypted, this is reasonably secure as the key is locked down by permissions on the filesystem.
My advice: as this is not a public service, you can just use a self signed certificate. And as you control the whole network, you can just use unencrypted http.
Remember that Let's Encrypt certificates only last 90 days.
Thanks for all the replies, it got more attention than I expected To clarify:
yes, I worded that very badly, I did mean "resolve to". Specifically the router will create a DNS record for all the clients on the network resolving "webadmin.my-domain.tld" to "<router's IP address>", and furthermore the web admin interface will be served on port 443 rather than 8080
we are in fact selling this router to customers, however the customer will not have root access to the router (and therefore no runtime access to the PK)
the disk will be encrypted, but obviously the customer will have to have the ability to decrypt this on startup
we will have the ability to revoke the certificate ourselves if the router is stolen or otherwise physically compromised
the certificate would be issued for a domain/subdomain the customer has no control over
we would very much prefer to avoid self-signed certificates
You can encrypt whatever you want, short of putting an HSM in your device someone will find a way to extract the private key.
You're not the first one to get this idea. It ended badly already.
On the other hand, if each router has their own domain (ie serialnumber.clients.yourcompany.example.com) you can make the router perform its own acme challenge via dns-01, just make sure you authenticate it.
To clarify: