Valid certificate is anything you trust. Any CA which you can trust is no more or less secure than the one you get from LE, so for the private network you can just happily sign your own certificates and just distribute the CA to your devices.
Ubuntu or something based on it
I would not recommend ubuntu, specially on this case. System updates, snapd mostly, have gone downhill and it’s nearly impossible to avoid reboots for extended periods. Debian seems to be still as solid as it’s always been.
Laptops use lithium-ion batteries and (at least your Average Joe’s and majority of commercial units too) UPS uses sealed Lead Acid. If lithium ion battery goes belly up it’ll burn your house down. If lead acid battery does the same, at worst, it’ll leak a bit of corrodive fluids to whatever it’s on top of.
There’s commercial size li-ion UPS’s too, but they require quite a lot of hardware around them to be used safely. Search from youtube (or whatever you like) a cell phone battery explosion and then scale that up to a fridge-sized cell-phone. It’s quite a bit of steel and concrete to contain that amount of energy. And the funny thing about li-ion fires is that lithium ions reacts quite violently with water and the battery contains all the chemicals to keep the fire going, oxygen included.
So, yeah, UPS is a whole another thing to manage than a laptop battery.
If you can’t access the hardware physically and you don’t have someone on site who can work on it, just drop the idea and get a VPS or whatever cloud based. No matter what hardware you plan to use. Anything and everything can happen. Broken memory module, odd power surge, rodents or bugs messing up with the system, moisture or straight up water leak corroding something, fan failure overheating the thing and so on.
There’s only one single fact on the business that I’ve learned over 20something years I’ve been working with IT: All hardware fails. No exceptions. The only question is ‘when’. And when the time comes you need someone to have physical access to the stuff.
I mean, sure, your laptop might run just fine for several years without problems or it might have shipping damage over that 3000km and it’ll break in a week. In either case, unless you have someone hands on the machine, it’s not going to do much.
True. And there’s also a ton of devices around which don’t trust LetsEncrypt either. There’s always edge cases. For example, take a bit older photocopier and it’s more than likely that it doesn’t trust on anything on this planet anymore and there’s no easy way to update CA lists even if the hardware itself is still perfectly functional.
That doesn’t mean that your self-signed CA, in itself, would be technically any less secure than the most expensive Verisign certificate you can find. And yes, there’s a ton of details and nuances here and there, but I’m not going to go trough every technical detail about how certificates work. I’m not an expert on that field by any stretch even if I do know a thing or two and there’s plenty of material online to dig deep into the topic if you want to.