huh, apparently there is an actual way to get proper (not self signed!) HTTPS certificates for LAN servers now without needing an open http server for ACME