If this is causing you pain, certbot with Acme DNS challenge is pretty easy to set up to get you certs for your internal services. There are tools for many different dns providers like route53 or cloudflare.
I tend to have secondary scripts that checks if the cert in certbots dir is newer than whatever is installed for a service, and if so install it. Some services prefer the cert in certain formats, some services want to be reloaded to pick up a new cert etc, so I put that glue in my own script and run it from cron or a systemd timer.
Yeah, but the problem as I see it is not to renew the certs. Some systems becomes unstable or needs to reboot during installation of new certificates. I worked on systems where it takes hours to install and use new certificates.
The problem is more or less devices that do not support dns challenges or only support letsencrypt and not the acme protocol (to chain acme servers, etc)
What kind of devices are you thinking of? Like switches and other network gear?
I've deployed LE on IPMI (dell, supermicro), so that's not a good excuse ! As long as you have a way to "script" something on your devices (via ssh, API or whatever) .. you are good to go
FortiGate 50g (higher version than 7.0 probably fixes that, but no idea when that will be released), some synology nas and there are tons of other boxes like that.