you could use the dns authentication, just set the ip to the local one this box for the domain you own/will be always use then all you have to be able to do is hit external dns and letsencrypt to update the cert.
afaik you can't because then there are no dns records to verify against. You could use a subdomain of a real tld if you had one though, or just bite the bullet and spend 10 bucks a year.
