Using the DNS challenge with LE, you can create a wildcard cert that is valid for *.domain.tld. Now you need a simple local DNS server like PiHole to resolve any local domains to your local reverse proxy serving local sites with the wildcard cert and you're done. You only need internet connection on the user's browser to get the little green lock and when you generate the wildcard cert itself.
Gorgor|7 years ago
I’d prefer getting a separate certificate for local.domain.tld instead.
Please correct me if I have a misunderstanding.