Let's Encrypt does not issue certificates for local networks
As you correctly noted, the certificate is bound to the domain name, and to the domain name only. It does not have a record of the IP address – so if you visit by the domain name, browsers will not have any reason to care about what kind of IP address it's at. (Besides, you mentioned that the domain will be resolving to a public address anyway.)
The flip side is that you cannot directly visit https://10.10.10.5, which will result in a mismatch.
(That said, if the certificate were issued specifically for an IP address – which LE doesn't offer, but some other CAs do – then yes, it would need to be a public address. But that's not the situation here.)
So right now your only requirement is to be able to pass one of LE's supported validation mechanisms.
If, as you say, the domain will resolve to a public address and will eventually lead to a publicly-accessible web server, then HTTP validation will work fine. (LE does not care what happens behind the scenes, as long as the validation servers can fetch http://<yourdomain>/.well-known/etcetera)
Even if the web server isn't publicly accesible (or if there's no web server at all), LE also supports DNS-based validation which only requires you to add some extra DNS records to your public domain.
A note about port forwarding: If your domain resolves to your public IP address, accessing it from within the LAN would require "NAT reflection/hairpinning/loopback" to be enabled in your router; otherwise the domain won't be reachable from the LAN at all.
1I use the
certonlyoption for LE - I'll mess w/ my own config files, thanks. But yes, I two machines here at work that are on private network and only configured as such, but outside DNS points to a routable IP which is then forwarded to the internal-network and reaches teh machine. No issues w/ obtaining a LE cert on either of them. – ivanivan – 2018-09-04T16:22:33.663