SSL in HASS.IO when the root domain is already hosted on a server on the same network

I have a Ubuntu box that’s running Webmin and Virtualmin. It’s in my house. I have a static IP from my ISP. Port 80 and 443 are forwarding to the Name Server which is running Apache and serves the sites just fine.

The goal is to get https://hassio.[domain].com to point to the RPi3. So far, I’ve achieved this through the Virtualmin Website Proxy setting for the virtual server hassio.[domain].com.

When I browse to http://hassio.[domain].com:8123, my instance of Home Assistant appears.

I’m attempting to install the Let’s Encrypt Add-On, but am uncertain of the configuration that will actually work. My router forwards all traffic to 80 and 443 to the web-server, and with DuckDNS I need it to be proxied and forwarded to the other internal hardware (RPi3). When I start the Add-On, I get:

Failed authorization procedure. hassio.[domain].com (http-01): urn:acme:error:unauthorized :: The client 
lacks sufficient authorization :: Invalid response from http://hassio.[domain].com/.well-known/acme- 
challenge/2gYkOylpB6rJ4d_HnAlHoE_F1FFSUy6BWaYsLqu8k30: "<!DOCTYPE html> 
<html lang="en-US">
<head >
<meta charset="UTF-8" />
	<meta name="robots" content="noodp,noydir" />
	<meta nam"
IMPORTANT NOTES:
 - The following errors were reported by the server:
Domain: hassio.[domain].com
Type:   unauthorized
Detail: Invalid response from
http://hassio.[domain].com/.well-known/acme- 
challenge/2gYkOylpB6rJ4d_HnAlHoE_F1FFSUy6BWaYsLqu8k30:
"<!DOCTYPE html>
<html lang="en-US">
<head >
<meta charset="UTF-8" />
               <meta name="robots" content="noodp,noydir" />
               <meta nam"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I think you’ll need to manually setup let’s encrypt.

I’m running on windows, with only 1 internal IP address assigned to port 443 so all the magic proxy stuff you are doing through virtualmin I can’t speak to.

It’s been a while, but if I remember correctly I had to:

install and configure an ACME client for cert renewal
I think I had to use OpenSSL to generate some keys
setup a .well-known directory hosted on port 80 to prove to lets encrypt that I was the owner of the domain

once all that was done, there is a scheduled task that runs every day that calls out to https://acme-v01.api.letsencrypt.org/ to renew the cert.

Ultimatly what I think you need to figure out how to do is get a cert issued to hassio.[domain].com then figure out how to do the magic to get port 443 forwarded to the ip address of the RPi3.