Oops... I should have realized certbot's http challenge was never going to be able to work for this server with a site that's internal only.
@consoleaccess acme.sh can get LetsEncrypt certificates without need of incoming HTTP access through use of socat. That might help you.
@neildarlow This is awesome, I appreciate the suggestion! I was looking at the DNS challenge option of certbot, but as the process I'm working on will need to be repeated this looks like it might be a much more elegant solution without people bottlenecking at me to make TXT records.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.