You setup the certificate correctly. It seems that Cockpit requires some little extra configuration to work under reverse proxying, or else it sends a pointless redirect (https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-Apache-with-LetsEncrypt).
From what I can tell, you need to add this to your Apache virtualhost for Cockpit:
ProxyPreserveHost On
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://192.168.1.90:9090/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://192.168.1.90:9090/$1 [P,L]
and this to your Cockpit config:
[WebService]
Origins = https://cockpit.shinytreecko.com http://127.0.0.1:9090 http://192.168.1.90:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
after you restart both, Cockpit shouldn’t send the redirect anymore (but you might need to flush browser cache, because a 301 redirect is going to get cached unfortunately).