You may not want to, but you can use public certs and URLs on your intranet. You can't necessarily do http-01 challenges, but DNS based challenges are feasible. There are also other ACME providers which will let you skip challenges for DCVd domains.

> There are also other ACME providers which will let you skip challenges for DCVd domains

Do you have examples? I’m not sure how to search for this feature.

I'm sure there will be a setting flag to stop blocking http sites, or maybe even a domain exclusion which will let you set up your intranet to work on http.

Maybe everything .local will already be allowed.