Thanks for your thoughts in busy times!
I know there are many mentions of using letsencrypt around, but it requires that the address is public, even if it is not accessible. Not permitted - and your default setting of "call home on errors" is neither, so I disabled it in my custom build.
We decided against using letsencrypt because of the following on their blog:
The best option: Generate your own certificate, either self-signed or signed by a local root, and trust it in your operating system’s trust store. Then use that certificate in your local web server. See below for details.
You wrote:
running on an internal network is very rare
This might be hen-and-egg: It's rare because it is so difficult. Care homes (as our use case) and small clinics would love when it would work in a local sandbox.