That's a restriction documented in the readme. Duckdns validation results in a cert with only one address covered. That's because duckdns only allows one TXT record set.
So it can cover only one of the following at a time:
The readme recommends using the second option so it covers all (sub)subdomains, and using the www endpoint instead of the naked domain.