Hi,
if you use HSTS you need proper certificates, indeed. You could use LetsEncrypt for this, yes. But for internal servers this is usually not suitable as you might have noticed.
Besides of fiddling with LetsEncrypt and reveerse proxy you have two other possibilities:
- Disable hsts
root@ucs:~# ucr search hsts
apache2/hsts/includeSubDomains: <empty>
Applies HSTS policy also to subdomains if set to 'yes'.
apache2/hsts/max-age: <empty>
Time in seconds of how long web browsers will cache and enforce the HSTS policy on the host. Defaults to '10886400' - which are 18 weeks.
apache2/hsts: <empty>
Enable HTTP Strict Transport Security (HSTS) by setting this variable to 'yes'. 'apache2/force_https' should be enabled additionally to take full advantage of HSTS.
- Install the UCS CA certificate in your browsers.
As a first steps you might want to use this article.
Hope it helps
/CV