If you run that command as root, you receive the environment variables for the proxy setup and works. I’m afraid the same command run by server-manager does not see the same environment thus it fails.
You could try to configure LE on your firewall with all the system names you need. Then configure reverse proxy to your internal hosts.
For certificates in internal hosts there are some alternatives
- use http, no certificate at all
- use https, certificate self-signed and ignore cert errors from the reverse-proxy
- push the certificate to internal hosts with scp when certbot renews it on the firewall. You can drop an action in the certificate-update event (thanks to @Amygos for the idea)