i.e. lets say your internal network DNS domain is 'my-company-lan.com' - all you have to do is ensure that 'my-company-lan.com' is also registered in public DNS, and then you can secure ALL your internal services using a free LE wildcard cert, that's automatically trusted by all platforms and browsers. For some companies that's going to be a BIG cost and resources saving.
 but not actually used for any public facing services.
It's at this point that I swear profusely at Microsoft yet again, for pushing the concept of '.local' domain suffixes a decade ago. As it's not a legal TLD, I can't get certs for any of my internal services without rolling my own internal CA, which only works automatically for Windows domain machines, and not for anything else.
"One cert to rule them all, and in the darkness 'bind' them."
For the wildcard certs, you just need to add a TXT record to the public DNS entry, no public web server required.
Even if you have no intention of using your internal DNS domain name on the internet, it's good practice to register it anyway.
The problem here is that there's no such thing as domain ownership, only domain renting. You forget to pay your bill (read: someone loses an email) and a core part of your infrastructure is up in smoke, or worse, taken over by a squatter.
I don't think there's a way around coming up with a reliable process for renewing your domain. You somehow manage to do it for lots of other things already.
See eg point 4:
Most clients that support DNS-01 can use nsupdate or APIs of public DNS providers to make this an automated process.