wow this was a lot of work to do 
First of all: now it works!
I have the ticket interface exposed to the wild. While the rest is only accessible from within my LAN.
But I had to:
- install certbot for lets encrypt
- fetch a lets encrypt certificate using DNS records challenge (because port 80/443 cannot be exposed for that purpose)
- play around with a lot of apache settings like enabling SSL (a2enmod)
But how can I now use the https server in my local network as well? The server is locally reachable under another name (or IP directly). So the certificate I got from lets encrypt for my public domain name will lead to a warning screen, that the certificate doesn’t match the host name.
Is there any way to achieve that?
Thanks again
Bastian
