For a proper trusted certificate you’re best to have a domain. That doesn’t mean you need to expose anything to the internet.
If you have Traefik or HAproxy they can auto issue certificates from LetsEncrypt with the right config. Just don’t allow external access to those front ends.
I have the same sort of thing setup with pfsense and the site is internal only via HAproxy to the docker container. Works great.
For a proper trusted certificate you’re best to have a domain. That doesn’t mean you need to expose anything to the internet. If you have Traefik or HAproxy they can auto issue certificates from LetsEncrypt with the right config. Just don’t allow external access to those front ends. I have the same sort of thing setup with pfsense and the site is internal only via HAproxy to the docker container. Works great.