To be able to fully answer your question, one would have to know exactly where you want to terminate the TLS connections.
-
If all will be handled by the pfSense (HAproxy), then you only need to ensure that it can handle the multiple names over the port(s).
-
If the TLS connections are to be terminated at the individual servers, then you need to may need to separate the secure connections via distinct ports (like: 443 & 1883).
-
If the TLS connections are to be terminated twice (once by the pfSense and then again by the individual servers), you may have to "share" the cert from one system to the other OR switch to DNS authentication.
In ALL cases, if you are going to use HTTP authentication, you will have to make considerations for the multiple FQDNs that will be using the same single external IP and port (TCP 80).