Be the certificate authority, then see why Let's Encrypt exists

Trust on the web is a chain, a CA signs a server's certificate and clients verify against the CA they already trust. Build the whole chain yourself, a CA, a signed server certificate, a TLS service. Watch verification fail for the exact reason it should, then fix it by distributing trust the honest way. What you do by hand here is what Let's Encrypt automates for the public web.