Hi I have been trying to get my reverse proxy working for too long now. I got it kinda working but still will not resolve correctly. I followed all the video’s from the youtube chanel many times, factory reset and tried again at least 3 times. still lost as to what i am doing wrong. I have it kinda working but not. It keeps resolving to a self signed cert warning for all of my servers. if i do a dig from my laptop I get 2 addresses. one for the actual address for that machine on my network the other the correct address for the host override that points to my pfsense. To further add to the confusion when I make a backend and point it to my proxmox server which does not have a static DHCP reservation in pfsense it gives me the proper haproxy pfsense address. but still a self signed cert instead of the proper haproxy cert. It always gives me a self signed cert instead of my acme cert i created for this. My troubleshooting skills are at a loss I have banged my head against the wall enough someone please help. Thanks in advance.
Not a direct answer to your question, but Proxmox has its own ACME client where you can request certificates directly.
I would recommend this approach instead of using a reverse proxy because then you can point the DNS record for your Proxmox server directly to the IP address of the Proxmox server instead of the reverse proxy’s IP address. This means that you can use one domain name for all protocols and services provided by the Proxmox server, not just HTTPS, but also SSH, SPICE, etc.
Sure you could probably route SSH, and SPICE through HA proxy as well, but I decided to take the easy route and install the certificates directly on the Proxmox server. 
This is my latest guide, make sure your DNS points at the HAProxy IP
I have a troubleshooting video here:
I have more than just a proxmox server running. I am also trying to get emby to have a secure connection, in addition to homeassistant and truenas etc. I have watched both video’s and all the other videos too many times. I am still stuck. I have duplicated every step so many times and it never resolves correctly. The closest I have ever gotten to getting a reverse proxy to work is yesterday. Now after yesterday every time i try to connect to any internal servers with the correct fully qualified domain name instead of no connection, it is serving serving me the internal server self signed cert warning. When i use dig i get the address of the server first then the pfsense/haproxy address next. I do not know why it does that. Does it matter that the servers have a static IP address issued from pfsense? Except my proxmox server does not have a static from pfsense. When I dig for my proxmox I get only the pfsense/haproxy address but it still gives me a self signed cert error when i connect with my browser. If I use the openssl tool I get the proper certificate (I think). But my browser always gives me a self signed cert. I factory reset things a couple of times over my many month journey into haproxy, I just reset everything again (much to the annoyance of family). Still get a self signed error when trying to connect with my browser. I feel like I understand the basics I followed all the steps in all the videos step by step. I started my computing journey as child with an Amiga commodore, then a 386sx with DOS 5. I have since moved to a Linux mint cinnamon desktop, debian 12 with plasma on my laptop, a HP 440 proxmox server, and a HP elitedesk with an i5 and 4 port NIC card Pfsense box. Heck I built my desktop drunk at 1 in the morning on my kitchen floor. This should not be hard for me. What the bleep am I doing wrong. I am at a loss I have sunk too many hours into trying to get this to work with zero results. I about to nuke the whole idea completely and just accept it will never work. Please help!!
Yeah that’s likely what causes the issue. It’s always DNS.
No, but enabling “Register DHCP static mappings in the DNS Resolver” might cause that behavior.
Although I’d expect manually configured DNS overrides to take precedence over DHCP static mappings, could you check whether this option is enabled under Services > DNS Resolver in pfSense? And If it is, try disabling it.
If you’re using a separate DNS server for your local DNS records and have pfSense configured as your upstream DNS server, I’d say you definitely need to disable this option. Otherwise, you’ll end up with exactly the situation you’re seeing now: two conflicting DNS records for the same hostname, one from your internal DNS server pointing to the HAProxy address, and another from pfSense’s internal DNS Resolver (via DHCP static mappings) pointing to the Proxmox host. This can lead to inconsistent resolution, as clients may receive either IP, depending on which DNS record responds first.
Another way to avoid this issue, which would allow you to keep static DHCP mappings enabled, is to use a different hostname or subdomain for HAProxy access. This is probably the cleaner solution overall.
For example, if your Proxmox host is named pve01, you could configure HAProxy to serve the Web UI under something like proxmox01.yourdomain.tld. That way, pve01.yourdomain.tld could still resolve directly to the Proxmox server’s IP address (for SSH, etc.), while proxmox01.yourdomain.tld would point to the HAProxy IP in DNS (for web access).
However, both approaches may introduce other issues that are specific to Proxmox: for example, SPICE might not work out of the box, because it doesn’t use port 443 and relies on hostname consistency, which of course is only an issue if you’re using it.
Nevertheless, this is why I recommended installing the SSL certificates directly on the Proxmox hosts and avoiding a reverse proxy in the first place: because I use SPICE frequently, and I also don’t want to deal with multiple hostnames or FQDNs for different access methods, or use the IP address when SSH-ing in.
Addition:
If you’ve already issued a wildcard certificate in pfSense and don’t want to use the ACME client in Proxmox for some reason, you can also simply export the certificate manually under System > Certificates in pfSense and then import it via the Proxmox web UI.
This is, of course, a manual process that you’d need to repeat every 60–90 days. However, in my opinion, this is still better than using a reverse proxy with Proxmox.
You can still use HAProxy for other (HTTPS-only) services. However, to avoid issues with conflicting DNS records, it will still be necessary either to use a HAProxy subdomain for those services that doesn’t match the server’s hostname or to disable static DHCP mappings.
One more addition:
A third option would be to use a different domain in HAProxy than for the actual hosts, e.g. hostname.yourdomain.tld in HAProxy and hostname.yourotherdomain.tld for the actual host, or you could use sub-subdomains, as in the following example:
For example, you could name the actual hosts hostname.local.yourdomain.tld, and the corresponding HAProxy frontend hostname.yourdomain.tld, and then define local.yourdomain.tld under DHCP Server > Other DHCP Options > Domain Name in pfSense. That way, all hosts that receive their IP via pfSense’s DHCP server will register themselves in DNS accordingly with hostname.local.yourdomain.tld, which would avoid conflicting DNS records as well.
However, none of these options solve the issue that the domain name used in HAProxy can only be used for HTTPS unless other protocols are also routed through HAProxy. This is not really an issue for HTTPS-only services like Emby, but on servers such as Proxmox or NAS systems that serve multiple protocols, using different domain names for those different protocols or access methods can be inconvenient and may even break certain functionality (like SPICE in Proxmox).
well i am still completely lost in this madness. i deleted the PFsense static IP registration for my homeassistant located on a seperate low power old crappy computer i have. I set the homeassistant computer to a static IP manually. Now when I dig for the address it responds to the haproxy/pfsense and only that address. But when i try to resolve it in my browser I still get a self signed error. error code bad cert domain. when I use the openssl command it takes a bit but by the end I get Your browser didn’t send a complete request in time - error. still at a total loss. seriously this should not be this difficult. I deleted hapoxy package and deleted the lines in the config file after. reinstalled haproxy did everything over again. still get a self signed cert for my homeassistant. Your idea of switching domains sounds fine I tried it with my emby server, nothing. Am I stuck because my computers, servers, phones and pfsense all have the same domain name. Idk how to change the domain name in homeassistant. Should I nuke my whole setup again with separate domain names. I am starting to hate this. I have been trying to get this to work on and off for months now. What the bleeping hell am i doing wrong. This should not be this hard to figure out.
Then there’s probably something wrong with your HAProxy config.
First, make sure the correct certificate is being served by HAProxy, and that the certificate actually contains the correct server name. If you’re using a wildcard certificate, keep in mind that Let’s Encrypt only issues wildcard certificates for one level — for example, *.yourdomain.tld works for sub.yourdomain.tld, but not for sub.sub.yourdomain.tld.
Also, if you’re using a self-signed certificate on the backend server, make sure “Encrypt (SSL)” is set to yes, and “SSL checks” to no in your HAProxy backend settings.
Other than that, I’m not sure what else could cause the issue. Maybe post your config here, and if nobody has any more ideas, you might also want to try the pfSense forums and/or r/pfSense.
ok so firstly appreciate the help. I still do not quite know what I am doing sorta figured out somethings but still mostly lost. Anyway I changed the domain names of my computers, virtual, and otherwise. Before I had *.sub.mydomain.com for all my computers. Now it is just *.mydomain.com. I am using cloudflaire for main DNS, tailscale next, with quad nine as a backup. I have tailscale installed on my homeassistant and phone and laptop. Now after that change I seem to have the correct SSL cert working. My truenas server resolves correctly with a lets encrypt cert. However none of my other machines seem to resolve. My homeassistant, emby server and proxmox server all give me a 503 error with a proper let encrypt cert. How do I figure out what I am missing for my backend servers to work. They are all on static IP’s from each individual server, not from Pfsense, they all have the same domain as my truenas, but each gives me a server down when I apply any haproxy settings. At least I got part of it working. If truenas is properly resolving and I get a 503 error then I am most of the way to my goal. Still lost as to what I am doing wrong on the backend for my homeassistat, proxmoxand emby server. Emby is the one I want to get working the most. If I can get a FQDM for emby working then I can take advantage of voice activation, better connection for streaming and etc etc. Most importantly with a FQDM for emby I can share my server with my parents and brother way easier. Dunno what I am missing. I got part of it thanks to your help I am still lost on the rest. Thanks in advance.
Please attach screenshot of your configuration for your haproxy, firewall rules and your dig result. Just blur out your domain and some part of your public IP address if you are trying to make it work on the Internet but if you are just using it internally do not blur out your private IP address.
This will help us further understand your configuration