It's 100% possible today to get certs in segmented networks without a new ACME challenge type: https://anchor.dev/docs/public-certs/acme-relay
(disclamer: i'm a founder at anchor.dev)
Does your hosted service know the private keys or are they all on the client?
No, they stay on the client, our service only has access to the CSR. From our docs:
> The CSR relayed through Anchor does not contain secret information. Anchor never sees the private key material for your certificates.