Ok, so here is the thing; you CAN enable SSL on your local network, HOWEVER, you won’t be able to use a signed certificate like from letsencrypt. Instead, it will harass you and your users about an untrusted certificate every time you connect.
To enable SSL for your nextcloud instance should be as simple as setting your virtualhost to listen on port 443 instead of 80. You probably should also set up a virtualhost on port 80 to redirect to 443 because your users probably won’t type in the “https://” part.
<VirtualHost 192.168.1.x:80>
REDIRECT permanent / https://192.168.1.x/
</VirtualHost>
<VirtualHost 192.168.1.x:443>
SSLEngine on
# nextcloud configurations here
</VirtualHost>
Of course, a certificate would be a lot better. That means a domain name (try freenom.com!) and a public IP address. In order to enable letsencrypt, you’ll typically need to open port 80 to the outside world, which you can actually do on an as-needed basis when you run certbot. Otherwise, you can keep the outside access closed at your firewall, while allowing your internal systems to access nextcloud on SSL using the public IP address and domain name. Note that I understand there to be other authentication mechanisms for letsencrypt, but I’m not familiar with them and can’t advise you on them.