What I do is buy localme.xyz and get a wildcard cert via DNS validation. This way you get SSL for offline devices. But you need to update the cert periodically.
I wish there was a way to automate wildcard certs, at the moment I'm building a python script that logins to my ___domain registrar's panel and updates DNS records
If your ___domain provider's API sucks, or doesn't exist, or requires generating a password/key with more permissions than you're willing to give a script, look at acme-dns [1] and delegated DNS challenges:
