OpenWrt and self-signed certificates

That was also my first thought. There is no need for a subordinate CA, the "SSH-hash.luci.openwrt.org" idea can easily be used with Lets Encrypt itself. OpenWRT just has to provide a DNS service for this domain that allows everyone who proves ownership of the corresponding private key to edit that DNS record. Then ACME with DNS authentication can be used, which works as soon as the router can send DNS and HTTP requests to the internet. So like all other solutions, it might not help for the first initial setup, but at least the device does not need to be reachable from the internet, it can be done behind another router, for example. OpenWRT could even on its first boot send DHCP requests on its WAN interface, try to get an internet connection that way, and get a certificate. Then the installation instructions would just need to tell users to connect it to an existing router for the first boot.