1. The problem I’m having:
I would like to set up a reverse proxy that handles tls for a number of services running in containers. Both the proxy and the services are internal to our network, not on the public internet.
I have ‘split DNS’ - the Windows domain handles DNS requests internally.
I’d like the certs to be valid to non-domain joined devices, i.e. a phone that happens to be on the LAN.
My external DNS provider only does changes by manual request - there’s no automated system.
The number of certs required is less than 20, and wouldn’t change often.
As far as I can tell, I have two choices with those limiting conditions:
A - set up a caddy server that is on a public ip, have it get certs, then set up some sort of syncronization of the cert folder between that external server and an internal one
B - set up CNAMES for the internal services, on the external DNS, pointing to say a duckdns entry and then use this dns_challenge_override_domain option
Option B seems like a more accepted solution, but I can’t piece all the details together.
2. My actual questions
Can someone provide me with some documentation or a tutorial or something that spells out the override procedure in detail? I’ve seen a few bits and pieces, but haven’t been able to put together enough of the puzzle to get to the actual testing stage.
Maybe this is actually a let’s encrypt or ACME question? If so, where should I go? (leaving myself wide open here 
)