NTS (Network Time Security) uses TLS on port 4060
Both certficates also have a SAN entry for ntp.glypnod.com. DNS for ntp.glypnod.com has 4 addresses, the IPv4 and IPv6 addresses of ntp1 and ntp2. That works as expected. If ntpd askes for NTS via ntp.glypnod.com, DNS picks one and the certificate checking dance works via SAN.
The catch is when renewing. certbot wants to verify that I/it controls all the IP Addresses. But 2 of them are over on another machine. I can renew by removing the DNS entries for the other system from ntp.glypnod.com, renewing, then putting the DNS entries back.
Is there a better way?