But really, I don't know why you don't just add an A record to your DNS and give your Cockpit host its own resolvable FQDN and have it request a LetsEncrypt SSL certificate for itself. All my bare metal host servers have a domain name of host1, host2, etc. and the VMs they host have a corresponding srv1, srv2, etc. hostname. If it's greater than 1:1 of multi-VMs per host, the secondary VM gets an alternate name, of course.