I have two applications that require SSL certs that are NOT web applications and are NOT publicly available but both of which require SSL PEM files.
One is a program called InterMapper and the other is a mail program called SurgeMail. (SurgeMail can support Web but that is not how the SSL is used and the doesn’t webroot is not publicly available.)
I'm not sure if you should call it around something. Let's Encrypt certificates are perfectly fine for non-web applications.
The non-public part however might. You definitely need a publically accessable domain name / hostname. If you do have a domain name / hostname in your control, you can use the dns-01 challenge to get a certificate.