The only way you’d be able to get a publicly trusted certificate if your server isn’t publicly accessible is by using the ACME DNS challenge.