In that case you’re using either HTTP or TLS verification, which only works if you have a public static ip/port that LE can access. You can’t do that from behind a NAT without port forwarding and you generally don’t want your local docker machines to be accessible to the internet.
Unless your cron script is doing some funky DNS altering, that is.
Oh, that’s cool, I hadn’t heard of lego before! But still, you shouldn’t need to buy a domain to do stuff locally on your own device and it adds quite a bit of complexity.
The only thing we care about is that there's just one authoritative name hierarchy, if somebody in the name hierarchy wants to give you a name without selling it, that would be totally fine.
I would totally be down with say, the US government issuing citizens with a DNS name under their ccTLD somewhere. Done your tax paperwork in reasonable time? Your name is guaranteed by law to keep working for another year. Maybe 1480219643.ny.citizen-names.us is ugly but it'd satisfy this problem for individuals. Maybe they could bolt on a checkbox, $50 extra to the IRS and you get to pick any as-yet unreserved legal name, or they have rules like for license plates.
Put the emphasis on the word "buy" instead, because they were describing a situation where you don't need to buy.
There are also free dynamic dns providers that let you set txt records and get certificates. But of course you can't depend on one of those to last forever.
1. have the domain in question resolve to a server with a public IP
2. have that server generate the certs with any ACME client with HTTP challenge
3. have that server ship the certs to the actual server hosting the service via intranet
4. in the intranet, have the domain resolve to the actual server via /etc/hosts override
All of that is not that hard to set up even at scale with proper config management tools. Having said that, I don't actually use it for that many services myself. The most significant one is LDAPS.
Unless your cron script is doing some funky DNS altering, that is.