Trouble getting ubuntu clients to pull updates from repo

foreman 3.3.0 and katello 4.5.0

dist: ubuntu 20

just started really diving into foreman, been using spacewalk and satellite for years to manage centos and rhel clients (and have an understanding of how that whole product works end to end).

so far on foreman i have no trouble with CentOS clients (7-8-9) all behaving properly and downloading updates from repos on foreman. ill predicate this question with: i have also never used any management software with ubuntu before, always just single client out to the default repo on the internet.

so far i have successfully created the ubuntu product, with os, updates, and security repos. they sync fine, and they show up as updates available when i register a client. but when i try to update (either from the foreman rex or from apt update) it fails with an error about it doesnt like the SSL cert in use on the repo.

is SSL cert really an issue for ubuntu clients?

ive been kicking around putting foreman behind a proxy and just let the proxy manage a letsencrypt cert.

if anyone has experience with this, i would appreciate some pointers. thank you!