> My experience has been that CertBot doesn't play well with CNAME delegation […]

A CertBot ticket on the subject opened January 2026:

* https://github.com/certbot/certbot/issues/10555