I did something similar using AWS Route 53 and documented it here: <a href="https://linsomniac.gitlab.io/post/2019-09-10-letsencrypt-with-route53/" rel="nofollow">https://linsomniac.gitlab.io/post/2019-09-10-letsencrypt-wit...</a><p>This setup creates an AWS key pair for each DNS name that can be used to prove to LetsEncrypt the ownership. So the machines in question, say dev workstations, can generate signed certs.<p>We used to use self-signed certs with long expiry times, but it is sounding like in the not too distant future there will be browser animosity towards long-lived certs.