Of the back of https://www.geekzone.co.nz/forums.asp?forumid=66&topicid=208215

@freitasm - I understand how to do the letsencrypt for the public accessible parts of my network (I've got public accessible site running off home).

But for your other internal names where you own the domain, how are you doing the renewals if they're not accessible for verification on the internet?

So I have 

home.mydomain.com - this is  accessible this points to a machine that I internally call machine.mydomain.com

So I manually created a certificate last night for home.mydomain.com and machine.mydomain.com and used the dns verification.  But apprarently for renewal I'll need to do that all over again.

How are others handling it?