but a pain to manage
I need to open port80 from the firewall to my server, then add a http/80 on my proxy so certbot can update the cert every third month.
Lots of acme services out there that let you install a vpn to fix this but they all cost money. I have an ssl terminator in my proxy, so I just link any service through it and I do not have to bother with certs in my apps until the next 3 months.