Doesn't the use of .internal and the likes preclude the use of ACME/certbot for your internal https services? Unless you want the pain of running your own internal CA but then some OSes complain about internal CAs these days.

Yes on the preclusion, because ACME is based on you proving you are in some way in control of the public domain you're trying to get a cert for, but using ACME/certbot for internal homelabs is not the same walk in the park as it is for publicly exposed servers anyways.

The easiest solution I've found is to not play the game. I.e. just use HTTP for your homelab, and if the service doesn't let you use anything but HTTPS then bind it to 127.0.0.1 and set up Caddy to reverse proxy and ignore the cert in a few lines. If you want to expose things externally and do happen to own a domain then set up a single external *.yourdomain.tld record which points to your public IP, bind an instance of Caddy to it, and reverse proxy to the internal HTTP only services. The internal service DNS entries can still use .internal so you won't have to deal with split-horizon DNS either.