90 days later and the Let’s Encrypt + HA Proxy plugins on OPNsense gave some troubles when it was time to update the certs.
Lesson learned, HA Proxy applies http redirect rules first despite its order as applied as a rule. An error is given if the config is validating confirming this is the case. To circumvent this, I made the http public server default to a new backend server pool. This server pool was not tied to any real servers, but the http redirect rule can be applied here.
So http traffic is received at the public server -> if it is ACME HTTP challenge it is handled with appropriate rule applied to the public server. If it is any other request it is sent the default backend -> redirect rule is applied here to all traffic.
Strange behavior in my opinion, but a workaround was not too difficult.
Bonus points – I also learned that home assistant does not allow self signed certificates on the IOS or android apps. For now I manually copied updated OPNsense generated certs for internal traffic to home assistant but this needs automated. Another day.