Hi vonfrank,
i'm using pfsense packages haproxy and package acme on my pfsense for this similar situation.
pfsense WebUI rconfigured to listen on Port 8443.
pfsense WebUI disabled for redirect from Port 80.
I've two frontends defined in haproxy:
WAN:80 (for acme redirection and ssl cert sign)
WAN:443 (for ssloffloading with all certificates for my websites)
one acl for each certificate. configured as "Host matches:"-Expression. value is the CN of ssl-Certificate.
one action for each acl to switch to every backend.
SSL Certificates configured as "Additional certificates", in configuration area "SSL Offloading"
checkbox "Add ACL for certificate CommonName. (host header matches the "CN" of the certificate)" checked
backends in haproxy:
one Backend for acme challenge. (I'm using the pfsense internal webserver for that)
several other Backends. one for every site. some acl's for URL rewriting
here my Backend config for acme to direct to pfsense's WebUI (listening on Port 8443):
backend BE_ACME-Server_http_ipvANY mode http log global errorfile 403 /var/etc/haproxy/errorfile_BE_ACME-Server_http_ipvANY_403_http_503 timeout connect 30000 timeout server 30000 retries 3 acl acme_not_in_path path_beg -i /.well-known/acme-challenge http-request deny if !acme_not_in_path server pfsenseAdminWebpage 127.0.0.1:8443 ssl check inter 1000 verify none