Configuring HASS.io for SSL when used as a Reverse Proxy through Apache

Setup:

Ubuntu 16.04 acting as a name server with BIND DNS running Apache with multiple virtual hosts.
Router port forwards 80 and 443 to the Ubuntu box.
After adding the recommended virtual host settings to the conf file for apache, the reverse proxy works as expected, but, no valid certificate.

Since HASS.io is on a different IP address inside of the network, and the router can only point 443 and 80 to a single location, reverse proxy from apache on the server seems to be the only way to give HASS.io a sub-domain address for the UI.

Should I be installing a certificate on the virtual server in Apache, and not worry about SSL on the Pi3, or do I need to setup something on the Pi3 to handle the SSL?

I’ve tried adding the Let’s Encrypt add-on to HASS.io as well as DuckDNS, but with no success.

If I try to add the cert on the server, I get a block error because there’s no directory specified in the conf file for the reverse proxy.

I’m a bit lost at this point.