I had a little trouble wrapping my head around acme-dns too; maybe my topic from a few years ago will be helpful to you too:
It's been working very well for me for almost three years.
The CNAME record is necessary because (when using DNS validation, which is the only way Let's Encrypt will issue wildcard certs), Let's Encrypt will always look for a TXT record at _acme-challenge.domainname. You can't tell it to look anywhere else, just as you can't tell it to use a port other than 80 for HTTP validation. But in both cases, you can redirect. For HTTP, you can send a 301 redirect to somewhere else. For DNS, you do that with a CNAME record.