I see, yes, I did see some certificate/security issues fly by.
Funny thing is, everything kept working/talking by keeping the base_url in http: or indeed, as printed above, use the original base_url (which of course is identical to the external_url) as internal_url under homeassistant:
I dont have anything under tts:, but given the config options there, we can also use base_url: external_url
only question remains why in core.config the internal_url is 0.0.0.0 while I set it to base_url in configuration.yaml. seems to not stick.