You can use DNS-01 challenge [1] to get certificate. You just need to add temporary TXT record to your DNS. It also supports wildcart certificates.
Most popular DNS providers (like Cloudflare) has API, so it can be easily automated.
I'm using it in my local network: I have publicly available domain for it (intranet.domain.com) and I don't wont to expose my local services to the world to issue certificate trusted by root CA on all my devices. So, this method allows me to issue valid Let's encrypt wildcard cert (*.intranet.domain.com) for all my internal services without opening any ports to the world.
It's the actual source code, but this is the result of two known WONTFIX issues on GitHub:
* Any commit can be attributed to any user on the site by way of the author/committer fields in git. No authentication or checking is done.
* Any content can be attached to any repository that accepts pull requests, and will be accessible on that repository's url if you have its hash (previous discussion: https://news.ycombinator.com/item?id=24882921)
GitHub allows enterprise customers to run their own GitHub instance on-premises, so any one of those could have peeked inside the VM and pulled out the source code.
Most popular DNS providers (like Cloudflare) has API, so it can be easily automated.
I'm using it in my local network: I have publicly available domain for it (intranet.domain.com) and I don't wont to expose my local services to the world to issue certificate trusted by root CA on all my devices. So, this method allows me to issue valid Let's encrypt wildcard cert (*.intranet.domain.com) for all my internal services without opening any ports to the world.
[1]: https://letsencrypt.org/docs/challenge-types/#dns-01-challen...