There have been many threads about this in the past.
I recall many conversations about how Plex was doing it. I could not find the one I had thought of... but I did find this thread/posting where ISRG staff say "I think the way Plex did it is still considered pretty much best-in-class".
Here are 2 more:
- Using a letsencrypt certificate as a signer - #4 by rg305 [contains ISRG recommendations]
- Trusted Self-Signed Certificates for variable IP addresses