It depends on how you have things set up and what level of configuration you can make. You could try handling the certificate stuff on the proxy. Alternately, if you can point a specific URL path to a single server, you could use the webroot method on that server to get the certificate and then update the proxy server. You could also use the DNS validation method to handle the certificate without needing to adjust the proxy configuration.
All the proxy does is point internal traffic to the right server if the incoming name is valid, to a HTTPS version (hence the reason for cert to be on the proxy)
Which way do you recommend as the best option? and is there some documentation I could refer to?
Each setup is unique, so there’s not really documentation. Likewise, the best option depends on the situation. Webroot is usually very simple to implement and you don’t need to interrupt or interact with other services to use it. However, in some configurations, it may be impossible to use.
That said, I’m a fan of the webroot method because of its simplicity and recommend trying it first. If you can have the proxy serve a path from local content, you could run certbot on the proxy cleanly. Any other options will involve more complexity in that you’d need to copy certificate files or find a way to modify DNS records.
If you could make use of a local global alias on the proxy:
Alias /.well-known/acme-challenge/ /path-to-challenge/
You could catch all auth requests into one folder.
Then also include something like:
ProxyPass /.well-known/acme-challenge !
in the vhost files to NOT proxy the auth challenge requests.