Hi,
I’m evaluating this and there is one issue I think should be addressed. And that is keeping fetching certificates separated from distributing them.
I want a server in the DMZ to fetch certificates. And I want to distribute certificates inside our net. I really don’t want to distribute certificates from the DMZ. I don’t mind having a Central Certificate Store there since it will not push those further inside. The servers on the inside can pull the certificates. This maintains separation of the DMZ and the inside.
So, even if the program is not split, I still need something nice with a that allow me to distribute certificates on the inside.
Please feel free to start implementing at once 
Hi, thanks, we look into how we can improve that scenario.
If you currently want to manage certificates from a machine that’s not internet facing you can simply use DNS validation instead of http validation, that way the server running Certify The Web doesn’t need to be internet facing.
Once you have a certificate you can decide how to distribute it, and a common approach is to use a secrets store (either local or cloud) for example Hashicorp vault or Azure KeyVault, then have your services fetch from there regularly. This provides a complete separation of concerns between certificate renewal and deployment.
There is a problem and that is that DNS is not internal. It is an external service for sites that need to be reachable from the outside.
I’m looking into the Azure Key Vault with Let’s Encrypt.