Certificate 1 will work fine if you assign a LE cert that covers the FQDN that you use in the
ABB client: meaning the FQDN is the certificate's domain name [common name] or you added it to the SAN list [DNS names].
It's all about ensuring the
server name you use in the clients when connecting to ABB server is included in the list of names of the certificate you assign to ABB. That, and that the certificate is signed by an entity that the client can validate (so not a self-signed cert.).
When it comes to the time to change the certificate, the LE certificates you create will auto-renew and these are fine (no silent fail, the backups will continue). Only if the client cannot itself validate the signer will the connection fail, and then you will have to go to each client to Edit Connection and re-confirm you trust it.
The good news, I found, was that if you change the certificate at the NAS end and this can now be validated by the client (known signer, and covers the server name) then the clients will start working again... without you having to go to each one!
Note: the ABB client
server name doesn't have to be the same as the ABB portal because it is using a dedicated TCP port. That means you should ensure the right certificates are used for each part of the ABB service. But since the ABB client assumes the
server name can be used to access both the backup service and portal it makes sense to use the same one, and advise users to do likewise.
Mostly, non-Web services don't care how you route to their network ports, but Web services can discern this (e.g. through reverse proxy rules). This is why you can use whatever server name or IP address to access TCP
NNNN service and it will work until there is added encryption then the client may complain if the certificate doesn't match the name it used to route to the server. It's the client that cares, not the server.
Synology Drive is another one that has desktop connections on a dedicated TCP port and mobile/web connection to Web portal port. This too needs to have the right certificates assigned to each one. Again it's best to use the same server name for all clients and Web portal, then the same certificate can be assigned.