I think when I set up vault warden with the docker compose it had scripts to generate it’s own self-signed certificate. So it was already set up to use https.

I have a CA I created with easyrsa so I went and found the csr from vault warden and signed it with my own CA, so I didn’t have to juggle two certs.

But otherwise yeah, running it on my local LAN, no let’s encrypt.