no i don’t have this issue. You could exclude port 443 in your haproxy config, as well ensure you are using http on your web browser.
I got HaProxy working thanks to some amazing people over on the /r/homelab discord! I have one last question to do with dietpi, though.
Can I have a certificate for each domain, one for git.example.com and another for example.com, using dietpi-letsencrypt? Or is there a command that will do that for me with autorenewal?
yes that should be possible to have more than one certificate created.
Maybe you can share your amazing HaProxy configuration. Just in case someone else is looking for a similar setup 
I got a second cert for my gitea instance, but it can’t access it, probably due to file permissions. Is there a quick command I can use for gitea to be able to access it?
Here’s some output from gitea’s log:
Failed to start server: open /etc/letsencrypt/live/git.example.com/privkey.pem: permission denied
Figured it out on my own! I’ll post my haproxy config now:
global
# rsyslog is required for logging
#log /var/log local0
#log /var/log local1 notice
maxconn 64
log 127.0.0.1 local0 notice
# Jail directory
chroot /var/lib/haproxy
stats socket /run/haproxy.sock mode 660 level admin
stats timeout 30s
user root
group root
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https-in
bind *:80
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend lighttpd_backend if { req_ssl_sni -i example.com }
use_backend gitea_backend if { req_ssl_sni -i git.example.com }
backend lighttpd_backend
mode tcp
server lighttpd_server 127.0.0.1:8080 check
backend gitea_backend
mode tcp
server gitea_server 127.0.0.1:3000 check
# Admin web page
#listen stats
#bind *:4264
#stats enable
#stats uri /
#stats hide-version
#stats auth admin:dietpi
where do you do SSL termination now? On HaProxy?
SSL is now passing through to each service so HAProxy doesn’t do anything other than pass the encrypted data through. lighttpd and Gitea get their certificates in their own config files and decrypt the data themselves.