Usually Traefik is managing the TLS certs towards the external clients, see simple Traefik example. And you probably want this to be centrally managed, as you probably have more services (in the future) than just Portainer.
Connect Traefik and internal target services to a shared Docker network, don't expose ports of your internal services, use http internally.
labels:
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.rule=Host(`portainer.example.com`)
- traefik.http.services.portainer.loadbalancer.server.port=9000
You can use TLS also internally. With Traefik in front, Portainer might not get a LE validated cert, then you might need to use insecureskipverify (doc).