Hi @dwrout
The management of the SSL certificates should be done by the reverse proxy (HAProxy in this case) and not by the web server.
In your case, your configuration will work until the expiration date of the certificate (Lets Encrypt certificates are valid for about 60 days if I remember correctly).
In my case, HAProxy resides on pfSense, which also has an Acme Certificates manager, which takes care of the automatic renewal of SSL certificates (I use the DNS Check method for verification, because otherwise it gets complicated).
Then, the SSL certificate that your backend will use will be the SSL certificate issued by the Root CA of your intranet, or some self-signed SSL certificate (in this case, HAProxy must skip the validity check for it to work).
Anyway, the ideal would be for the communication between the Nextcloud server and the reverse proxy to be via HTTP (not encrypted), and not via HTTPS (with encryption) … but the truth is that I doubt if this will be possible with Nextcloud (or at least, I have not been successful in achieving it). Some web applications do not support SSL Offloading, and I think Nextcloud is in this category of webapps that do not support SSL Offloading.
Cheers!