With this tutorial you will get a valid SSL certificate from Let's Encrypt without having to open any incoming ports. You can use the certificate to enable HTTPS with your reverse proxy (Apache, Nginx, Caddy, ...) or other self hosted service. Since it only uses acme.sh which is a shell script it should work on everything that runs linux.
The tutorial was written for and tested with Duck DNS and deSEC, but you can (in theory, because I did sadly encounter a few bugs/incompatibilities here and there) use every of the 150+ DNS provider supported by acme.sh (there is also a second page at the end!). If you want to use a wildcard certificate I would recommend deSEC because Duck DNS currently has a bug/incompatibility with acme.sh.
If you want to use another DNS provider you can skip right to 2. Install acme.sh, but need to change the parameter --dns YOURDNS in all the commands and set all necessary variables yourself according to t