do you use the default UCS Root CA?
There is currently a problem when using the dashboard App together with the Let’s Encrypt App. In this scenario the Apache is configured to use the Let’s Encrypt certificate, which is valid for the external DNS name, not the UCS hostname. But the dashboard App want’s a HTTPS connection with the UCS hostname :-(. We are working on a solution for that.
“certificate signed by unknown authority” sounds like the Root CA certificate is unknown to the system. By default the UCS Root CA is copied into /usr/local/share/ca-certificates/ (and “update-ca-certificates -f” is called) on every server to make the cert available in the globale cert store. So maybe you need to do something like this.