I've been running into SSL issues too. At first I purchased a domain name from google domains, it was good because google domains also offered a built in ddns client. I setup the ddns on the NAS, using ddns.mydomain.com, i then added some sub domain names and setup reverse proxy and i was able to connect to what i needed. I then tried to sign up w/ Lets Encrypt and kept getting a failed error, check to see if domain is valid. After checking lets encrypt community, i saw some posts that mentioned google domains does NOT support LE api. I canceled with google domains and got refunded. I just signed up with DreamHost. I created the same domain name, created a cname record ddns.mydomain.com which points to a ddns name (xyz.synology.me). The connections with that and reverse proxy are working, but again i cannot get a ssl cert from LE.
When it asks for domain name, i am entering my domain name without any sub domains. I entered my email and for the SAN name I entered some various subdomain names ddns.mydomain.com, abc.mydomain.com. At one brief point i got a different error in which i had never seen before, which was something about too many tries. This i thought was good, because at least now i knew i was connecting w/ LE. I'm wondering if this is the issue because the domain name ip is registered with dreamhost, where as the sub domain names are resolving with my public isp ip address. Is it because of the ip address miss match? For now I have removed any kind of redirects on the domain (mydomain.com redirecting to ddns name which was separate and in addition to adding the cname of a subdomain to the ddns name).
I'm kind of scratching my head on this. And I have 0 experience when it comes to these certificate things. I also have ports 80 & 443 forwarded. Also I noted that LE website had a page with supported domain registrar's, google domains was not on that list, but dreamhost was so this has to be possible to setup.