For these kind of setups, it's easiest if you use one of the automated DNS options (i.e not manual or wildcard).
Setup service1.domain.tld as one of the automated DNS options. Not sure where domain.tld is already hosted but it's not one of the options we support, you can always create a zone called service1.domain.tld and put host the zone is one of the DNS services. In your proxy, forward https://service1.domain.tld AND ``https://*.service1.domain.tld` (hope it supports wildcard) to Cloudron VM.It should work with valid certs with the above setup.