How can I get a Let's Encrypt certificate for a non-public facing server?

If you control DNS for the domain then you can use the dns-01 challenge method to prove ownership by creating a TXT-record.

This can be done manually or automated. I think even the official certbot client now supports dns-01.

A quick Google shows me a bunch of tutorials using various scripts and clients so I won't repeat all of them here. This one specifically automates intranet certificates.

The certbot client has capability to do a manual DNS challenge. The (currently second most popular) answer found in this question How to use Let's Encrypt DNS challenge validation? has all the details, and I just tested it as working.

Basically, you run this command and follow the directions:

certbot -d site.your.dom.ain --manual --preferred-challenges dns certonly