After reinstalling our NAS, and installing the UniFi controller on it, one of the few things left is HTTPS for it. I'm a huge fan of LetsEncrypt (if we're going to have the stupid CA system we have, we might as well democratize it!), and an even bigger fan of acme.sh.
One of the issues is that these are all services on my internal network - I've absolutely no interest in ever publicizing any of these services, so how to validate them for LE? Since I use Cloudflare for my domain, it seems a no-brainer that using their API for DNS validation is the obvious solution.
Unfortunately, FreeBSD's port of acme.sh doesn't install things where they need to be for it to work as others describe.
I had to copy the dns_cf.sh file from
/root/.acme.sh/, and since I was there I hard-coded my API key into it. Then it was a simple matter of specifying it as others do:
acme.sh --issue --dns dns_cf -d piglet.home.fwaggle.org -d nas.home.fwaggle.org -d unifi.home.fwaggle.org -d plex.home.fwaggle.org
Install the certificates as normal in Nginx, and set up a reverse proxy and I'm all set!