VPN and sleep peacefully knowing you can skip a month of patches without thinking about it.
life’s too short to worry about exposed services. Just set up the remote VPN clients so only traffic meant for your network is tunneled and your family will never even know it’s there.
just use wireshark/tcpdump/etc and trace the packets until you find the issue.
I’d also suggest you start simple and just get plain ol HTTP working first since your problem has nothing to do with certs or any of that