You do not necessarily need to own the FQDN you want to get a certificate for, but you need to proof that you control the FQDN (FQDN = crypto4n4rk.ddns.net in your case).
Let's Encrypt currently offers three ways to do this proof:
- HTTP-01 - Works by connecting to your server via HTTP and retrieves a shared token for validation. Requirements are that you need a domain pointing to some server that can be reached from anywhere in the internet. This is what acme.sh's webroot mode is for. You tell acme.sh where to place the token so that Let's Encrypt can retrieve it via HTTP.
- TLS-ALPN-01 - Pretty similar to HTTP-01, but uses the TLS protocol for validation. We can consider it's requirements similar to HTTP-01.
- DNS-01 - This type of validation ("challenge") works entirely within DNS. You submit a domain name you want to get a certificate for and LE gives you a challenge to submit a DNS TXT record
_acme-challenge.FQDNin your global DNS. This can then be retrieved from the internet, without ever connecting to your machine(s).
For a DDNS domain, you will probably be able to do either the HTTP-01 or the TLS-ALPN-01 challenge, as the domain resolves to an IP under your control. You most likely won't be able to do the DNS-01 challenge, but that's not a problem as long as you can do one of the other two.
To do the HTTP-01 challenge, you need a webserver. If you do not currently have a webserver, you can use acme.sh's standalone mode --standalone which will automatically spin up a temporary webserver to complete the HTTP-01 challenge.