The relative proximity of the words "done right" and "split-horizon DNS" makes my insides hurt a little bit.
Use DNS validation to allow these internal services to pull ACME certs. There's so much less headache, long-term.
Split-horizon DNS (and the tedious make-work it can create when you start needing to mirror public-accessibly records in the private DNS) has always been something to aspire to move away from in my experience.
Also be careful when using split DNS and Tailscale, which increasingly won't work without MagicDNS enabled.
Came here to say the same. I use DNS-Challenge rather than HTTP-challenge, and that makes internal servers trivial.
You need a DNS provider which supports API calls (I use DNSimple) but the core is all very straightforward.
To prevent having to include DNSimple authentication on the client's internal server I have a small API server on the web which does the Acme work.
Once dns-persist-01 becomes available/usable[1], it should make dns validation even easier.
[1]: https://letsencrypt.org/2026/02/18/dns-persist-01