In general TLS certificates are always issued for an fqdn. Public certificate authorities (CA) only issue certificates for valid public fqdn. for local FQDN You can setup your own CA and issue certificates for internal FQDN as well (or you use self-signed certificates). in case on self-signed certificate or internal Ca you need to import the issuer certificate into each client to make them trust this certificate…
but if you just want to avoid going through the internet if you access your NC from internal network you might be looking for split-brain DNS pointing your public domain to the local IP (and still using public LE TLS cert).
Beware of “rebind protection” implemented in some routers…