After 10 hours of debugging i am lost and hope someone get me clarified on this. i read probably several times the right answer or was near “it-works”…
My Setup is Simple:
i got two webservers with self signed certs and there running fine internal
appserver1+nginx+selfsignedcert
app1.localdomain
appserver2+nginx+selfsignedcert
app2.localdomain
to make them reachable over wan i wanted to utilize haproxy (v1.8) with letsencrypt certificates for public web access.
haproxy(1.8)+certbot+letsencryptcerts
ha.localdomain
the following domain certs are created via letsencrypt and stored in ssl folder
app1.public.net
app2.public.net
and from now on it wasnt even once working:
i cant reach a site trough the haproxy address i run either into 503 or connection refused errors. startet to strip and change a lot on my haproxy confg file. this is how it looks now
frontend main
bind :80
bind :443 ssl crt /path/to/ssl.pem
redirect scheme https if !{ ssl_fc }
acl isapp1 hdr(host) -i app1.public.net
acl isapp2 hdr(host) -i app2.public.net
use_backend bapp1 if isapp1
use_backend bapp2 if isapp2
backend bapp1
description my shiny app server is so shiny
server app1 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
option http-no-delay
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend bapp2
description a second shiny tower somewhere between bits and bytes
server app2 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
listen haproxy-stats
bind :8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 10s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth someuser:somepassphrase
stats admin if TRUE
i would love to get some help here what i am missing, dont want to spend another night on it 
there is also a more to consider: why do i terminate ssl 2x ?
i usually encrypt most of my internal traffic with ssl but brings this re-encryption some drawbacks except to the perfomance impact of ssl?
is there any advance on how ssl termination is done on nginx or haproxy?
something to consider security wise?
i love the idea to manage just a single machine with all certs on it, but since i deploy ssl certs with ansible i dont care that much.
is it maybee better to generete the letsencrypt certs on the backends and let haproxy run in tcp reverse-proxy mode?
a lot of questions for a first post and a happy hello to all the proxy-nerds 
thanks in advance
n1ete