alt Hacker NewsI tried this too a couple months ago, OP is right, certbot doesn't support the CNAME aliases: it lacks logic to add the TXT record to the redirected name, instead of the name in the certificate.
I use acme.sh which does support it: https://news.ycombinator.com/item?id=47066072
I still find this hard to believe without some actual example RRs and certbot configs, but this is HN, not serverfault.