On a hassio Pi with no open ports I don’t need DuckDNS anymore but I presume I should keep it for the LetsEncrypt?
The problem I have is that since I closed the router port my Sonos TTS no longer works. The recently and, partially-educated-in-network-security me, thinks it might be something to do with still using certificates which the Sonos doesn’t like - I did say only partially educated! 
Is there a way round this? (Am I even close to being right?)
When you say open port I assume you mean you’ve removed the port fowarding, i.e. it is no longer exposed to the internet? If that is true, do you still need SSL (HTTPS)? Unless this is running on an open WiFi you could potentially get rid of that.
Let’s Encrypt will give you cert on your duckdns FQDN, i.e. if you connect to you HA on anything but the FQDN, the browser/client will inform you the certificate was not generated for that host, but for the FQDN. Some application might just reject such connections, which could potentially be what is happening in your case.
@shark711, thanks and you made me very happy to think I might have even been close to being on the right lines!
Yes I have no port forwarded but doesn’t LetsEncrypt still offer some benefit when HA communicates with other applications in the outside world?
If you had Port forwarding enabled before, I assume your HA is running on a NATed IP. This implies that without port forwarding, the external world/internet cannot access your HA via HTTP/HTTPS directly. As such, you might not need to encryption. The HTTPS (SSL) encrypts the traffic between the client and the server, and seeing that both are trusted (i.e. within your network and no longer external) it is generally safe and SSL is just an overkill. If it is a public network, or an open WiFi, where someone can hop on your network and sniff out your traffic, and with everything in clear text, they can capture any sensitive data you might be sending across the wire, like passwords. But if you are on a secure WiFi (example WPA2 encrypted home WiFi and only a select few has the password), and you no longer expose HA to the internet, I don’t see the need for SSL