Intermediate proxies are currently not supported (and it's not certain they can ever be), as per the FAQ from the initial alpha release post:
Then PDM not support (HA) proxy should not really matter. You could try adding the PVE node using the local IP address directly. Or alternatively test if your DNS indeed resolves correctly to the local address by trying to resolve the node's hostname from the PDM shell (ping
could be used for starters).
FWIW, depending on your time and enthusiasm one option here might be to setup a local ACME backed CA service, i.e. what Let's Encrypt provides but locally. Our products support using a local ACME instance (albeit IIRC, one might need to use the CLI once for adding the ACME directory initially). Compared to using DNS based challenge, which also works for private hosts, this would leave you in full control of the CA and avoid leaking some metadata through the transparency logs the public CAs must publish. Just mentioning this as you explicitly noted that you're using that HA Proxy setup for the local CA cert.