So, what happened there is by default Certbot tried a method named tls-sni-01 to prove control over the name by itself answering HTTPS connections on port 443. But when Let’s Encrypt called your name on that port they reached your existing server, not the Certbot, and of course the real server knew nothing about this proof of control stuff.
You could look at telling Certbot to use http-01 validation, where it places files on a web server basically to prove you control the server. Note that’s HTTP on port 80, not HTTPS, so if you don’t have port 80 open it might not be convenient. As a DDNS user you might also look into DNS proof, https://acme.sh/ is one option which I think speaks DDNS. But it might not help if the DNS names you want certificates for are from another provider.