Internal certificates & TLS issues

Hi guys, i'm trying to figure out why my setup isn't working and I think I am in a little over my head. Some help would be appreciated!

So, I have my own domain name hosted with Cloudflare. I decided to use my domain name to get myself certificates on my internal network, so I can access all of my services via https. My cert provider is Cloudflare. I get that this is probably unnecessary, but hey.

So where this becomes an issue is when I try to expose my services to the internet. The problem appears to be TLS. If i enable TLS for my internal network e.g. (plex.local.mydomain.com) everything works just fine. But, if I want to access a service like plex externally from plex.mydomain.com, I get a '404 File not found' error. However, if I disable TLS, the external link works.

I'm guessing this has something to do with my certificate conflicting with Cloudflare's end? Here is what my config looks like for Traefik:

  - "traefik.enable=true"
  - "traefik.http.routers.traefik.entrypoints=web"
  - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.mydomain.net`)"
  - "traefik.http.middlewares.traefik-auth.basicauth.usersFile=.htpasswd"
  - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
  - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
  - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
  - "traefik.http.routers.traefik-secure.entrypoints=websecure"
  - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.mydomain.net`)"
  - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
  - "traefik.http.routers.traefik-secure.tls=true"
  - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
  - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mydomain.net"
  - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mydomain.net"
  - "traefik.http.routers.traefik-secure.service=api@internal"

Now my Plex config:

 # internal routing
  - traefik.http.routers.plex-internal-secure.entrypoints=websecure
  - traefik.http.routers.plex-internal-secure.rule=Host("plex.local.mydomain.net")    
  - traefik.http.routers.plex-internal-secure.tls=true
  - traefik.http.routers.plex-internal-secure.service=plex-internal
  - traefik.http.services.plex-internal.loadbalancer.server.port=32400
 # external routing
  - traefik.http.routers.plex-external-secure.rule=Host("plex.mydomain.net")  
  - traefik.http.routers.plex-external-secure.entrypoints=websecure   

This configuration works to give me HTTPS internally and externally, but i guess it's not ideal? I have had to create two different rules though (plex-internal and plex-external). Enabling TLS for plex-external will result in a 404.

Combining Host('plex.local.mydomain.net','plex.mydomain.net') results in a 404 for the external rule - again i'm guessing because of TLS.

I would love someone to teach me how to fix this and give me some pointers on how to better secure my setup. Thanks guys!