duckdns used to only support one TXT record value at a time.
If that is still true then a normal wildcard request of the base name and its wildcard two TXT record values are required on the same record name. And so will fail just as you describe.
A work-around is to issue a cert with just one name and then request a cert with both names and use that. The first cert authentication is cached by Let's Encrypt and so only one new authentication is needed on the second cert.
Another solution is to use a different DNS provider that supports multiple values on the same TXT record (most do).
Here is one example of a past thread with this