In order to be issued a certificate, Let's Encrypt needs to verify you have control over the domain. This process is automated through challenges, such as setting up a local webserver, or adding DNS TXT records. I don't like the DNS-TXT challenge, as it requires giving every host a DNS service account.
I came up with my own solution. The .well-known/acme-challenge
can be hosted using S3, allowing Let's Encrypt to perform an HTTP-01 challenge.
This method requires the least amount of privileges on the host (no ports need to be open)
The primary reason I want internal hosts to have valid certs is quite simple - invalid/untrusted certificates break things! A secondary reason is that constant browser warning are annoying and false alarms are detrimental to security.