I have a public domain that I only use internally on my home network. I have a local DNS server that handles all my internal DNS records. So I just point my DNS records to my nginx proxy manager's local IP address and let it create certs using DNS Challenge. So I don't need to expose anything external to make it work.