In case any one else is looking through this thread later, the best path forward in our case was to start using DigitalOcean's free DNS service and then change the domain configuration in cloudron from manual to DigitalOcean.
Our cloudron apps are hosted under a subdomain of the top level domain so we needed to setup both the top level domain and the subdomain in digital ocean with name server records for the subdomain defined at the top level domain. We also needed to change our domain registrar's setup so that they would point to DigitalOcean's name servers as authoritative for the domain.
All of this worked and has resulted in us being able to have a cloudron instance that is not reachable from the public internet in any way but is still able to use Let's Encrypt certificates for everything via cloudron's automatic certificate management.
If you go down this path please be sure to get things setup, change the domains configuration, sync dns, renew certificates, and reboot the cloudron server and if things are configured properly you should be able to see that the certificates being used switch from your manually loaded certificate to the Let's Encrypt certificate.
Ultimately this results in https connections between apps, like nextcloud and onlyoffice, working by default without work around needed to bypass certificate verification.