Comment by lxgr
Then only allow self-signed certificates for literal IPs or those on .local (and other private/reserved TLDs).
Right now, .local is completely impossible to encrypt, as well as impossible to use “secure origin” APIs on, which is a shame.
.local also hasn't been best practice since 2005. Current recommendation, because of Certificates is to use internal only subdomain of domain you have control over.