With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant
The DNS records for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the _acme-challenge subdomain has to be public. Let’s Encrypt does follow CNAMEs.
And you have to give your NAS write access to your API key of your DNS registrar
You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.
The DNS records for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the
_acme-challengesubdomain has to be public. Let’s Encrypt does follow CNAMEs.You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.