When you create a certificate, it contains 1 or more addresses baked in. If the server (normally) or client (in the case of client certs) is on a different address then the cert is not for that device and your client (or server) will reject the cert as invalid.
So if you create a cert for a server using address jimbob.myserver.com but then access that server via 123.456.789.1, the cert will be invalid. In that case, you should add the IP address as well as the IP name when creating the cert.
For public Certificate Authorities like Let's Encrypt, they don't allow you to create certs for IP addresses as these are too easily spoofed. In such a case, if you wanted to have a cert that was valid both for external use and for internal network use, you would need to set up "hairpin DNS" or some other DNS that allowed you to access the server by IP name even when used internally.
That is what I do on my own home systems. I use the same public IP name internally as I would externally.