I've been using a self-certificate with it's name being the IP address of Port 1 (my LAN). And in Admin and User Settings, I specify this certificate and set it to Use the IP Address of the First Internal Interface, which works. (Though I think because I've also put my the device's self-CA certificate on all of my own internal machines and trusted it, to support TLS decryption and inspection.)
So I figured it'd make it easier for guests if I used the Let's Encrypt certificate. In Admin and User Settings, this would seem to require choosing Use the Firewall's Configured Host Name. And that seemed to check -- but not work -- once, but trying it again it Check Settings says that the hostname does not resolve to an internal interface's IP address.
This should be fairly straightforward, shouldn't it? Shouldn't a URL whose hostname's IP is my EXTERNAL IP (Port 2) somehow be able to work internally with the Let's Encrypt certificate? I've created a loopback NAT to Port 1, which does fire off, but evidently I need to do more. I tried creating an ACL exception rule (since Firewall rules don't work with local services), and that's not worked either.
It LOOKED like it worked at first because I could get to the HTTPS console via the hostname, but it wasn't actually working correctly. (I do not have internal DNS, My firewall hostname is my domain name.)