Just an FYI for anyone trying to auto-generate SSL certs for TrueNAS Scale. After adding your DNS Authenticator under Credentials > Certificates, you need to create a CSR in a slightly specific way.
You can accept all defaults, but for the alternate names, put your root domain first and your fqdn second. I had problems when trying to reverse. Also of course, make sure the common name is your FQDN.
If you do not want your root domain in there (AKA wildcard cert) then disregard.