The "Active" at the bottom of the page is only for the TLS (SSL/HTTPS) certificate, which only renews every 90 days. The certificate is name based, not numeric address based, so doesn't need to update when the IP changes. The DDNS binds the name to the address; it updates when your WAN interface comes up, periodically, and if your WAN IP changes. Essentially that active status at the bottom of the page is cached from when it last successfully obtained/updated the encryption certificate. The "Let's Encrypt" service on the router aborts as it's supposed to do when the DDNS service fails and the DDNS hostname (configured on the page) hasn't changed, and is really just log noise that should be ignored when the DDNS has issues (fix the DDNS first, then worry about Let's Encrypt only if it continues to log errors).
Seems like there's a bug in the DDNS service on the new firmware, sounds like it's not detecting the WAN IP correctly (with the internal method, but the external method apparently works). The above is just to clarify that you need to ignore the Let's Encrypt side of it when looking at a DDNS problem, and what the two halves of that config page are about.
It may not be the problem here, but incorrect external address by the internal method could be due to a problem at the ISP end. You should check that your WAN interface isn't being assigned a RFC1918 private address (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges) or falling back to a RFC3927 automatic address (169.254.0.0/16 range), and that you're seeing the a correct public IP address on the interface.
There are various sites out there which will tell you the your public IP address, to confirm what's sites outside your ISP see. You can just stick "what is my IP
" into Google search, or Google recommend a couple of sites
for getting that info in more detail:
Although the problem appeared to coincide with a firmware update, the restart of the router which accompanied the update would request/renegotiate the IP address with your ISP, so it's possible the problem was at their end. If your ISP service is supposed to include a public IP address and doesn't have any NAT or proxy setup on the ISP end, the address on your WAN interface should normally match the address reported by those sites (or be on the same subnet if your service includes multiple addresses).