Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
If you can’t access the hardware physically and you don’t have someone on site who can work on it, just drop the idea and get a VPS or whatever cloud based. No matter what hardware you plan to use. Anything and everything can happen. Broken memory module, odd power surge, rodents or bugs messing up with the system, moisture or straight up water leak corroding something, fan failure overheating the thing and so on.
There’s only one single fact on the business that I’ve learned over 20something years I’ve been working with IT: All hardware fails. No exceptions. The only question is ‘when’. And when the time comes you need someone to have physical access to the stuff.
I mean, sure, your laptop might run just fine for several years without problems or it might have shipping damage over that 3000km and it’ll break in a week. In either case, unless you have someone hands on the machine, it’s not going to do much.
Without a doubt a lot do, but I personally couldn’t care less. I have a server at home, but that’s just a necessary evil. If I could I’d just rent hardware for everything, but there’s technical and obviously financial limitations with that.
And hosting pretty much anything is practically identical regardless of the platform. Sure, there’s exceptions, like my Home Assistant server with z-wave, which needs to be physically nearby my other stuff, but things like fediverse instances and other browser-based stuff are exactly the same to maintain regardless of the underlying platform.
True. And there’s also a ton of devices around which don’t trust LetsEncrypt either. There’s always edge cases. For example, take a bit older photocopier and it’s more than likely that it doesn’t trust on anything on this planet anymore and there’s no easy way to update CA lists even if the hardware itself is still perfectly functional.
That doesn’t mean that your self-signed CA, in itself, would be technically any less secure than the most expensive Verisign certificate you can find. And yes, there’s a ton of details and nuances here and there, but I’m not going to go trough every technical detail about how certificates work. I’m not an expert on that field by any stretch even if I do know a thing or two and there’s plenty of material online to dig deep into the topic if you want to.