How to keep my homelab infrastructure private when using Let's Encrypt or ZeroSSL certificates?

I have a small homelab environment, I host several services for which I get Let's Encrypt or ZeroSSL certs via acme.sh.

That's working fine, however, when I look at https://crt.sh, I can see the certs for myrouter.example.com, myserver.example.com, mypasswordmanager.example.com, mydocumentmanagement.example.com etc.

For example:

$ curl -sS "https://crt.sh?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
myrouter.example.com
myserver.example.com
mypasswordmanager.example.com
mydocumentmanagement.example.com
...

These services are not exposed, I can only access them locally or via a wireguard tunnel. I know bad actors can't …

access acme bad bad actors big certificates encrypt environment exposed google homelab host infrastructure let's encrypt locally privacy private public reddit services tunnel wireguard