The alternative is to offer the Let’s Encrypt bot access to your DNS service, typically in the form of an API token which you revoke after the bot verifies the domain. Access to the API is not needed for subsequent cert refreshes, only the first time.
The bot (or the proxy you use) needs to support the API of the DNS you use, naturally, but they support a wide variety of the most well-known ones.
Just to add to the other comments, you probably want to use a wildcard cert so you don’t need to individually certify each subdomain (or expose them at all).
Is this only for public facing services then? I have little desire to expose my services except through tailscale or something like that.
No! If you have a domain and can do DNS* verification you can get fully functional certificates to use on your internal network.
*Doesn’t have to be DNS, but then you’d need to expose http to the internet for verification.
Reading a post on the LE forum it sounds like smallstep might be closer to what I need.
The alternative is to offer the Let’s Encrypt bot access to your DNS service, typically in the form of an API token which you revoke after the bot verifies the domain. Access to the API is not needed for subsequent cert refreshes, only the first time.
The bot (or the proxy you use) needs to support the API of the DNS you use, naturally, but they support a wide variety of the most well-known ones.
Just to add to the other comments, you probably want to use a wildcard cert so you don’t need to individually certify each subdomain (or expose them at all).