This is a new post as the 3 similar posts I found are closed and I can't seem to reply to them with this useful information:
Like the other posters, I too found it simple enough to setup a custom public domain, add a cname to a ddns of my letsencrypt client and open up port 80 from the internet to the client, to get the first letsencrypt client working.
But I struggled in getting the second client and CN/fqdn working.
The solution I used is I setup a second cname to the second client CN/fqdn and configured a web proxy on port 80 on the first client.
The web proxy inspects the http header URL in all port 80 traffic and is configured with an entry to forward the traffic meant for the second client's CN/fqnd to a mapped IP address of the second client.
That way, the letsencrypt traffic to the first client gets handled locally and the letsencrypt traffic for the second client gets forwarded over to it through the first client.
This is especially simple for synology nas users as it's easy to setup in the gui at Control Panel > Login Portal > Advanced
Hope this helps everyone as I find it a much better option that some of the other proposals I've heard like: use multiple public IPs, or use a single cert on all clients and copy the renewed cert every 3 months manually or via automation