The key benefit of Let’s Encrypt certificates over those minted by yourself are that they will be trusted out of the box by most devices, a friend’s borrowed laptop, the PC in a business colleague’s office, a new iPhone you just bought, and so on. There is no benefit in terms of the quality of encryption algorithms used, protection from attackers and so on.
So I would examine your circumstances and think about whether that trust benefit is important for some or any of the devices (other than the VMs with the externally facing ports) and unless it is, I just wouldn’t bother with Let’s Encrypt. However, for the certificates that aren’t from Let’s Encrypt or another publicly trusted CA, you do need to pay extra attention for the Trust On First Use (TOFU) step where you tell a web browser or similar software to trust this unknown certificate. Avoid software that doesn’t let you apply TOFU principles, because it’s just too tiring to check carefully every single time you use a system - but paying careful attention and taking precautions just once, the first time, is do-able for a home network.
For the second half of your question, consider using DNS challenges instead of HTTP / HTTPS challenges if that’s practical for your setup. Otherwise, consider having the web server handle certificate creation and just copy certificates (securely e.g. with SFTP) and their private key to the other servers. If the web server handles HTTP traffic for example.com and www.example.com and mail.example.com, and the email server handles SMTP and IMAP for example.com and mail.example.com, well you could use the same certificate for both very easily.