So if you probably have something that looks like:
client:443 => caddy (123.123.123.12:443) => openBalena HAProxy (192.168.100.31:80) -> api (service:80)
Which means you are offloading SSL at the caddy endpoint and passing traffic to HAProxy over HTTP (open-balena/haproxy.cfg at master · balena-io/open-balena · GitHub).
What domains (SANs) does you Caddy issued SSL certificate cover?