You can get a free cert from letsencrypt using their dns challenge. No need to expose to the internet. Add a DNS record that points to the address of your LAN and it’ll make things even easier for your guests.
Not interested in going through the effort of setting up a DNS record, go through the whole DNS challenge process, and go through a periodic manual renewal process, for every stupid little thing (many even just temporary things which don't even have a static DHCP lease). There's literally no advantage for my use case, except that I'd be allowed by the web standard bodies to use their shiny new toys that they artificially lock away otherwise.
For the permanent installation case, it's typically easier to use mDNS domains since they're shorter. 'mediapc.local' is easier for guests to type than 'mediapc.local.mort.coffee' or whatever I'd end up with.
What would be a good solution is self-signed certificates, but that too is a non-option until all browser vendors downgrade the warning from a "Someone is trying to hack you!" style scare screen to a more informative "this is a self signed certificate, do you trust it?" style warning screen.
I would be perfectly happy with a solution where browsers show a scare screen for self-signed certificates on the public internet but a benign-looking "Do you want to trust this certificate?" screen for 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 or mDNS .local domains.
