Method to add a real certificate when you don't want your HA instance exposed to the internet?

setup your router to ‘spoof’ your domain name, and use let’s encrypt to generate your domain certificate…

maybe hairpin nat would also work (just bot sure if you need outside port forwarded for the hairpin to work)