I'm hosting an app on a NAS, port 3000. Works great. I have a Pi5 that runs Apache and a few web projects. Works great. I've got a static IP from my ISP and can send traffic to via my domain name and subdomains. My router forwards ports 80 and 443 to the Pi that runs my Apache server. Works great! I use certbot to make SSL for all subdomains.

BUT now, I've got a domain set up in Apache that redirects to the app on the NAS. Works great! BUT, I want to add SSL. certbot fails as I assume it's trying to add files to a folder, but of course, it can't. So, where do I add the SSL cert?

1. The NAS?
2. The Pi?

I don't know how to make certs outside of certbot (I should learn)... Is there an idiot's guide to the relationship of SSL and redirected virtual directories?