You can achieve this without exposing any service. Let's Encrypt allows you to prove ownership of a domain through DNS 01 hooks.

I personally use Duck DNS [1] for main internal domains, so I can have a certificate that most tools will recognize as valid. This saves me from adding my cert in every machine that will use that service.

I use dehydrated [2] to get a Let's Encrypt certificate using Duck DNS. There is a good article explaining that by Andreas Gohr [3].

[1] - https://www.duckdns.org/

[2] - https://github.com/lukas2511/dehydrated

[3] - https://www.splitbrain.org/blog/2017-08/10-homeassistant_duc...

> Self sign certs just seem so dangerous.

Why are they dangerous? Is that because they need to be manually added to applications, and no one bothers to do that?

There is nothing dangerous about self-signed certs, browsers show you a warning because it doesn't know if it should trust the cert. If you add your CA to the trust store then you can sign your localhost certs.

> If you add your CA to the trust store then you can sign your localhost certs.

Not necessarily. Google have decided that Android users can't be trusted to install their own certificates. I don't know if Apple will permit it, either.