If your main site uses HTTPS, all the resources it loads need to be over HTTPS. If your main site uses insecure HTTP, it can still load HTTPS resources, however. (This restriction probably isn’t enforced for RTMP though, Since RTMP is not supported by HTML5
<video>, your player is probably Flash-based. The Adobe Flash Player makes its own HTTP/HTTPS connections and isn’t restricted by your browser’s rules.)
At any rate, from the information given you would need a certificate for both your HAProxy server and your nginx server. They can use the same certificate if they run on the same domain name.
For example, with certbot you could configure SSL with nginx first automatically:
certbot --nginx -d yourdomain.com,www.yourdomain.com --deploy-hook 'cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $RENEWED_LINEAGE/combined.pem'
And then manually configure HAProxy to use that certificate by adding an SSL binding to its configuration like:
bind *:443 ssl crt /etc/letsencrypt/live/yourdomain.com/combined.pem
The deploy hook is needed because certbot doesn’t create files in the format HAProxy uses by defualt. It’s important to use single quotes and not double quotes for that or your current shell will interpret the variables rather than the shell certbot runs the hook under and things won’t work properly.