Thanks for the explanation!!
I think I did as you have described in your “TLDR ideal scenario”, but then it stopped working after some months.
Is this because when in Full (strict) mode, it fails to renew the LetsEncrypt certificate (“can’t acquire a fresh one.” like you have mentioned)?