Not sure if I understand correctly, but service.local.example.com must point to your internal IP. You do not need a localdomain and the SSL certs will only work for what they were generated for (service.local.example.com). However, you can very much point your local DNS server's entry for service.local.example.com to any local IP, resolving these services internally. For that matter, you can equally simply edit the `hosts` file and add overrides.

For the ACME-certs I suggest using the fullchain-cert that you get from Let's Encrypt for service.local.example.com (e.g. in the nginx reverse proxy). Firefox/Chrome will typically not complain if you do not serve intermediate CA SSL certs, but it is better to provide the full chain of certs.

> Not sure how to best distribute certificates though, if I had found a way I could let the router do all the renewals.

My router is pfsense, I added a hook that stores SSL certs to a local NAS folder via script:

Action List: `sh /conf/acme/store_certs_nas.sh`.

From there, it is easy to pull certs through cronjobs on services.