A Github Action running acme.sh that pushes certs to S3 solves the split dns issue for hosts, which can cause all sorts of weirdness after a while. You can then grab a cert on a schedule and even make them wildcard if you want. Then you will get NXDOMAIN if you are not on the VPN so ideally no public traffic.

DNS-01 validation is way less work than that in my experience.

Thats what this Github Action uses is DNS validation through acme.sh and updating a Route53 domain.