You can run acme.sh on another device using dns-01 authentication. Then you can move the certificates to your servers in some way. This would mean one machine having access to the internet and the private servers though.
But also, LE certs expire after 90 days, meaning this manual process needs to be repeated every <90 days.
Though, I'd be curious to know what the threat model for such a service is. Why is it not allowed to connect to the Internet? Can a different internal machine connect to it? And if so, is that machine allowed to connect to the Internet. What happens if someone connected to that machine and opens a tunnel through their machine to the Internet (if at all possible). Understanding the threat model will give you a solution on how best to use dns-01 challenge to generate certs and keep them updated.
Alternately, you could use a fast CA solution like Netflix' lemur or step-ca or even just openssl, make your own CA, and distribute it to everything. If your threat model is such that that stuff should never connect to the outside world, why risk it by repeatedly moving things in from outside? Just generate a closed CA for your closed environment, trust it once, and move on.
