@solrize @thehatfox get a free wildcard cert for your domain and use it just like any other. nothing new, nothing different. I have those running on LAN-only hosts behind a firewall and NAT with no port punching or UpNP or any ingress possible.

if you don't want to run a private CA with automated cert distribution (also simple with ansible or a few tens of LOC in shell or python), the LetsEncrypt is trivial and costs nothing -- still requires one to load the cert and key onto a server though, which is 2/3 of the work vs private CA cert management.