Re: "We decided on a global fallback"
They are usually accessed by IP address, and you can't get a certificate for that.
Partially correct. You can get publicly trusted certificates for a public IP address, but not for a reserved i.e. private IP address (and any public certificates that were issued for reserved IP addresses were revoked around a decade ago IIRC.)
If you need a certificate for a reserved IP address for your own internal network, you can set up your own certificate authority (e.g. Active Directory Certificate Services if you're of a windows persuasion) and bake your own.