Let’s Encrypt setup for subdomains

The instructions say to add this blurb to the configuration.yaml. Does this mean to add this exactly as it is shown below? Or should I be using example.com instead?

http:
  base_url: https://my-domain.tld:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

And for the LE config (below). Assuming example.com, mqtt.example.com, hass.example.com all point to my modem’s WANIP, I would need to forward the 80,443, 8123 (and others) to my Hassio internal ip, right? And what is the point in registering mqtt.example.com with LE? How would a Hassio Mosquito addon take advantage of such a certificate so my mqtt clients could point to https://mqtt.example.com:1833. Isn’t the certificate residing inside it’s own docker environment?

{
“email”: “[email protected]”,
“domains”: [“example.com”, “mqtt.example.com”, “hass.example.com”]
}