I think it's almost impossible: toasterGUID.iot.tld. Toaster has API key to update A to local IP & _acme-challenge TXT, toaster is able to issue a cert via an ACME DNS challenge, provided toaster has sufficient connectivity to the CA & to the API used to update the DNS.