I just use a script on a cron that runs every 15 minutes and updates my DNS provider. And for let’s encrypt, I use the DNS verification method so you don’t have to even expose HTTP(S) ports if you don’t need to
I wrote a small go app[0] which is invoked every 15 minutes and updates the DNS through the cloudflare API. Its very specific for my use case and ISP but works well.
Cool! There's also certbot[0] and lego[1] which can do ACME-DNS with a range of providers beside CF. You could also do tls-alpn, which allows you to do do the challenger encrypted on another port. Sounds like DNS works fine for you, but it's primarily worth considering for those issuing certs for non-public names that shouldn't be broadcasted via public DNS.
