The homelab had reached the stage where every service lived on its own port and every one of them threw a certificate warning. I had a mental map of which colon-number meant which app, which is a sign of a problem, not a system. So I put a single reverse proxy in front of the lot and gave everything a real name.
The bit people get stuck on is certificates for things that aren't reachable from the internet. You don't need to expose them. Let's Encrypt's DNS-01 challenge proves you control the domain by writing a TXT record, so the box requesting the cert never has to accept an inbound connection. My proxy talks to my DNS provider's API, gets a wildcard for *.home.example, and renews on a timer. Everything internal then sits behind one trusted cert.
So grafana.home.example and unifi.home.example both resolve to the proxy on the LAN, terminate TLS there, and hand off to the real service over plain HTTP on the back side. No warnings, no remembered ports, and nothing facing outward that doesn't have to. The wildcard means adding a new service is one proxy block and zero new certificates.
The only real gotcha was rate limits while I fumbled the DNS credentials; test against Let's Encrypt's staging endpoint first, or you'll spend an hour locked out wondering why. Past that, it has quietly renewed itself for weeks and I've stopped thinking about it, which is the whole point.