

You don’t need to put the server in the DMZ, just port forward port 80 and 443. Most routers these days ignore all requests to ports that aren’t open. And stick it behind Cloudflare, so you don’t have to expose your IP. Cloudflare also allows you to generate SSL certs that are good for a decade.
Yeah, it’s a huge PITA to just, you know, click the button to generate a new cert and revoke the old one.