Secured connection for both remote and local URLs (SSL, letsencrypt

Configuration
1

Goal:

Have two addresses, one for remote access and the other for local access, both running behind HTTPs, and without the need to bypass any SSL warning in the browser (in the companion app it’s simply failing)

Problem:

I can’t get my installation to server valid HTTPS for both local and remote URLs.
It means my companion app cannot really use the alternative address over SSL.

My approach:

  • I configured my DNS to have two addresses that point to my public IP. Let’s call these home-remote.example.com and home-local.example.com
  • I add a local DNS entry that translates home-local.example.com to the local IP (i.e. homeassistant.local). My goal here, and it may be completely wrong, is to make sure the CA (cert authority) is able to get to my local installation from outside my network in order to validate the certificate, but have my local devices remain within my local network
  • I added the local domain to my letsencrypt addon’s configuration in HA
  • Configured the remote and local addresses under Settings > Network:
    "external_url": "https://home-remote.example.com",
    "internal_url": "https://home-local.example.com",
  • I configured my router to accept both URLs

It’s important to note that the external url works perfectly fine.

What do I see when running Let’s Encrypt add-on:

When I start the addon, I’m getting to following error:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: home-local.example.com
  Type:   connection
  Detail: xxx.xxx.xxx.xxx (my external IP): Fetching http://home-local.example.com/.well-known/acme-challenge/gvM...VaE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

As written above, the external url validates fine, so this is not a firewall problem.
Any ideas of how I can get this to work?