To give a little direction to this thread
First, OP also has made a post on serverfault.com explaining the greater context
The basic problem is this. Suppose you are on your private lan, using reserved non-routable IP addresses such as 192.168.1.* and 10...*
If you have internal hosts such as router.lan or homeassistant.lan, if you access them with your browser, you will get various SSL certificate errors.
Mostly, you will get a self-signed certificate error, which cannot be resolved as nobody can own .lan .local hostnames.
One solution is to add the self-signed certificates to your local certificate repository, needs to be done for every computer and every time you reinstall your OS.
Another solution would be to put the public keys in your dns records.
Specifically using the DNSSEC/DANE CERT DNS records in your local DNS server in case of internal hosts.
Doing this will also allow website administrator to bypass let's encrypt entirely. Instead of let's encrypt signing your certificate, you put it in a CERT DNS record directly.
The functionality to validate DANE CERT records used to be part of firefox, but this add-on was broken when an API was deprecated permanently in 2017
Discussion of the broken add-on
various related bugs
firefox add-on still in the store ?
There is apparently partial support of this already in Firefox 50 ?