No.

Let’s Encrypt checks if you have control over the server the name eventually leads to, usually by providing you with a token that you put on your server for retrieval. The way there, including the IP, is irrelevant.

These people have no clue how to get around these DNS filters.

But not thanks to the virtue of some effective blocking but just a lack of knowledge of the average user…

I have used several of those cheap routers over the years. And they simply can’t block you from using encrypted DNS (unless they want to create giant blocklists and want to play wack-a-mole with DNS servers…).

So all they usually do is very low tech like ignoring the DNS you set in the router configuration and reroute it (or not providing such configuration in the first place). But they can effectively ony do so with unencrypted DNS.

With encrypted DNS they could at best try to block the default port used by DNSoverTLS but that still leaves DoH. And they can’t block that because it’s just regular encrypted HTTPS traffic (with the DNS quesry inside).

Iirc even Windows allows easy configuration of DoH nowadays (and for much longer if you were ready to edit the registry) where you can simply chose between unencrypted, DoH only or encryption preferred if available.

The only thing they can realistically harcode is the DNS server their router’s DHCP provides.

Just configure devices to not use that setting, also use DoH or DoT (which you should do anyway, not just to circumvent your router’s settings).

make sure all of your devices are secure using encrypted DNS and encrypted traffic

Which is so easy it really should be the default nowadays yet sadly isn’t.

Take a look at the config file (/etc/radicale/config). It’s extensively commented. Although you barely need to change any defaults for regular use.

Just create an htpasswd file (with htpsswd, apache-tools or just any of the one million available online generators) and edit two lines under [auth] to read type = htpasswd and htpasswd_filename = <the location and file you created>.

And you can start (and enable) Radicale via the systemd service usually included in the installed package. (Or for early testing just start the server manually… radicale starts it with the defaults from the config file. You can also configure everything with parameters but that’s an insanely long list (radicale --help if you are interested in seeing them)…)

The webinterface to login will be available (by default settings) under http://localhost:5232/.

All you have to do then is change the config so Radicale listens on the server’s IP instead so it’s available in in your network. (Plus the usual stuff of making it available from the outside if you need that like for any other sevice)

And any calendar/contact software will bring a wizard that guides you through the process of sync’ing, usually just asking for an address to reach your server, as well as user and password.

EDIT: I looked up the defaults and you can skip all the autehntification stuff in the beginning. By default just anyone can access the webpage at port 5232. So you can just test it and only bother with authentication later (definitely when you plan to make it available from the outside, for example to sync phones).

With radicale, do I need to install some other somewhere in order to use it?

No, you just need to install Radicale. That’s it. calDAV and cardDAV are widely used formats available as an option with basically any calendar.

Can a self hosted calendar still send and receive invites to other calendars?

Oh, I see your problem. You don’t host your calendar. You host a service that is used to synchronise all the regular calendars you already use over different devices.

Or are you at the moment using Google’s calendar in browser only?