Came here to say the same. I use DNS-Challenge rather than HTTP-challenge, and that makes internal servers trivial.

You need a DNS provider which supports API calls (I use DNSimple) but the core is all very straightforward.

To prevent having to include DNSimple authentication on the client's internal server I have a small API server on the web which does the Acme work.

> You need a DNS provider which supports API calls (I use DNSimple) but the core is all very straightforward.

Library/CLI that speaks the API of several dozen DNS providers so you don't have to re-invent the wheel:

* https://github.com/dns-lexicon/dns-lexicon

Interesting, this is the first time I've seen this project. One thing I saw that concerns me a bit is that they provide command-line options for passing your user credentials and multi-factor code. I'm not a fan of giving anything that level of access when a resource-specific access token will do, but that's me.

I do this exactly, using ACME DNS:

https://github.com/acme-dns/acme-dns

CAUTION, though, the last time I downloaded a binary release, ClamAV triggered on it, so I kept my old version which worked. I was using the 1.0 series (without any problems!), and now it seems the project has picked up development again with a 2.0 series.