If the Fully Qualified Domain Name of the nginx web server appears in the Internet’s public DNS system, even if it’s not possible to connect to this machine from the Internet, it will be possible for Let’s Encrypt to issue a certificate to you for this name, though it may prove tricky to arrange this depending on your exact requirements.
If the name could appear, but doesn’t, for example you have www.example.com on the Internet, and this server is internal.private.example.com and none of the private.example.com names are visible from the Internet, then you may be able to purchase certificates from another public CA, you should investigate resellers to find a good price.
If the name isn’t an Internet DNS name at all, for example example.corp or myserver.local then no public CA is permitted to issue certificates for these names since there is no single public authority on who owns them. You will need to use a private CA, either your own or one from a famous brand like Entrust or Symantec.
It is possible to have certificates for IP addresses, but Let’s Encrypt does not issue such certificates. Another public CA will only be permitted to issue for global IP addresses on the public Internet (not 127.0.0.1 nor 10.20.30.40, or similar) and only where they can establish you have enduring control over that address, for example because it was directly assigned to you by an Regional Internet Registry such as ARIN or RIPE. Most organisations cannot qualify under this rationale. Also, an IP address certificate is only useful on the web when you specify the IP address (not a name) in the URL, as this part of the URL must exactly match the name in the certificate.