You should probably know about LetsEncrypt DNS challenge validation
Everyone knows the basic way to renew a LetsEncrypt cert. Open port 80 and let LetsEncrypt connect to your server. But what if you don't want to open your network or you limit access to a handful of IP addresses? Well you can just use the DNS challenge validation, no need for web servers and no need for port wrangling.
For example I use the certbot-dns-cloudflare for my work intranet allowing it to remain VPN only.
Another great option is to use acme.sh as it supports a massive list of dns providers and the ever popular duckdns out of the box.
Given in the past I found the most fragile part of my LetsEncrypt setup was making sure port 80 was accessible to LetsEncrypt I personally use this method even if I have a network accessible from the wider internet.