DNS Auth doesn't work with split-horizon DNS though, since the LE process will update the internal view instead of the external.
It sounds like you've put all your RRs in one flat zone visible internally ad externally but then that breaks device network portability, since mail.example.net on 10.x.x.x won't be reachable once outside the internal network
ACME and LE were really developed without an understanding of how certs work in the IT World. They were developed by folks who spin up a service on AWS and think that's how the world works.
It sounds like you've put all your RRs in one flat zone visible internally ad externally but then that breaks device network portability, since mail.example.net on 10.x.x.x won't be reachable once outside the internal network
ACME and LE were really developed without an understanding of how certs work in the IT World. They were developed by folks who spin up a service on AWS and think that's how the world works.