@robw Sorry for the delayed response, we are just coming back from vacation and catching up on support tickets.
If I understand correctly, the Cloudron server has a different outbound IP than the one it detects. We have a custom endpoint (https://api.cloudron.io/api/v1/helper/public_ip) which helps us detect the IP of a server but I guess this detection goes wrong because of your setup.
To fix/workaround this: In the domain setup wizard, you can simply choose "no-op" as the DNS provider. With this provider, all DNS checks are disabled and as long as the domain somehow is able to resolve and reach your cloudron, it should all work. Another thing is that port 80 needs to be reachable as well for Let's Encrypt to work. If this is not possible, you can select 'Self Signed Certs' in the Advanced section of the domain UI.