Turnkey Linux itself has the confconsole to configure the SSL Encryption, but for simple redirection this will not work, you need a A entry in the dns server. Using Flocus extension and Passwords extension without self signed certificate will produce errors.
Best way is, to use also the cerbot.
Short way for certbot certificate (as root):
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install certbot certbot-apache
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
certbot --apache
Cron job for renewing the certificate
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | tee -a /etc/crontab > /dev/null