Internal hosts are frequently referred to by shortname. so appserver.example.com being an internal host is only referred as 'appserver', not using an FQDN.

The problem then arises that any certificate must contain the short name to match the user typing https://appserver If the certificate does not contain that name but only appserver.example.com then you get a name mismatch error. It will only match if the user always presents a FQDN as the URI. Uncommon in corporate environments and a usability compromise. A public CA such as LE won't accept a cert request using 'appserver' as the name as it's not globally unique. Public CAs only assert the identity of globally unique identifiers.

The right way to do this for internal sites is an a private internal CA. Many many products and solutions available to do this. I like the simplicity and flexibility of openssl in this regard.