Hi @macbrook98 - yes, you absolutely can do that!
Caddy typically relies on ACME to requisition its certificates.
ACME provides for a number of methods to solve a challenge to prove you are who you say you are and grant you a valid certificate: Challenge Types - Let's Encrypt
One of those methods is DNS validation, which you can do without ever allowing external access to your Caddy server. To use it, you’ll need a DNS provider with an API that Caddy can use to update public records and solve the challenge. Then you’ll need to download a copy of Caddy with that provider’s DNS module included. You’ll find instructions on how to do that in the below wiki post: