How so? I run a public HTTP server and a VPN server from a Raspberry Pi in my living room. It was pretty easy to set it up. Regarding the HTTP server, the only thing that was different from the last time I did this (around 2004) were SSL certificates.
What is the easy way to get SSL certs for my private network, which are recognized by all my browsers? My private host has no public IP or hostname, thus can't verify automatically via letsencrypt.
You can do two other things, besides using a wildcard domain as mentioned in a sibling comment.
1) Use public DNS to validate instead of HTTP. I do this for internal-only webservers. TXT records are updated during renewal using Hurricane Electric's DNS service at dns.he.net.
2) Run your own CA. This used to be a huge pain, until I found gnoMint. I use this to generate certificates for OpenVPN. If necessary, installing a root certificate is not difficult on most systems. You can set it to expire in, say, 10 years, so you won't need to update it so often.
Not sure about “Easy” but you want to be an intermediate CA signed off by another CA already recognise by common browsers. LE don’t provide that apprenty but it does seem to be available for a price …
I get a *.domain.tld cert for my public server and then copy that to all my internal hosts, which are only reachable internally, but use the same domain.
You can get a domain name for free from many non-profits (eg. eu.org). And chances are you have a public IP address, it's just dynamic not static, in which case dynamic DNS setup is fairly easy.
The only case you're screwed is in 4G/5G setup where you actually don't have a public IP at all, but only half/quarter IP (just a dedicated port range on a shared IP).
If your host has no public IP or hostname, letsencrypt has no business issuing that host a certificate.
If you wanted to, having a public facing IP that uses challenge files, and just reverse proxying that specific URL-range to the private host might work.
But really, if you want SSL for a private network, self-signed certs or your own trusted CA cert is the way to go. That does mean changing your browser to accept those certs.
Alternatively, drop the SSL requirement, since everything is apparently on private networks.
How so? I run a public HTTP server and a VPN server from a Raspberry Pi in my living room. It was pretty easy to set it up. Regarding the HTTP server, the only thing that was different from the last time I did this (around 2004) were SSL certificates.