SSL configuration for new Nextcloud server

The new Nextcloud server 13.0.6 is doing pretty good and so far have no issues with it as far as accessing it from LAN. It appears that is a must to have SSL traffic to/from it even though you are in the LAN. I read this was a requirement if you use Nextcloud talk or other apps that require the SSL on server itself regardless that you are in the LAN or not.

Knowing this I configured SSL with letsencrypt and all is configured and working fine.

In order for me to come externally to this Nextcloud server I have to go through my sophos UTM where I have configured WAFs as reverse-proxy to allow and re-direct traffic to proper servers in the LAN using SNI since I put the SSL certificates in the WAF itself. This way I do not have to open ports to re-direct traffic to certain hosts. Question comes for this Nextcloud already configured with SSL.

I’m not sure how to proceed in this case…

Do I need same certificate on the server uploaded in the WAF (Web Application Firewall) and use it that way? WAFs do not have a hostname so to say.

Do I need to get a new certificate for the WAF for the same FQDN that the nextcloud server has? Something tells me I do not need two certificates.

I do not want to setup a NAT rule to allow traffic on port 443 to be redirected to the real Nextcloud server as it may mess up the SNI rules for other certificates on WAFs that are doing a good job re-directing SSL traffic for other webservers to appropriate hosts based on certificates they have. Yes, I have only 1 WAN IP and multiple Web services from different internal hosts.

The Nextcloud is running nginx and the WAFs use apache but not much granularity in the frontend to configure these WAFs. All you can do is upload a cert, configure the external webserver, configure the real internal webserver and define redirections with profiles and rules you set.

Any suggestions?