I've been having the same issue with DuckDNS DDNS via the Palo Alto and finally got it to work after what seems like hours of downloading certificates from Starfield and trying different combinations... as this was the only post I've been able to find with anything relevant I thought I would add what finally worked for me.
I tried multiple different combinations of intermediate certificates and adjusting other settings.
What finally worked was using Firefox, going to www.duckdns.org, opening the SSL certificate properties and exporting the root certificate and each of the intermediate certificates down the chain in order (I numbered the three of them for simplicity.) I then cleared out other test certificates, imported them in order one by one setting the very top one as a Trusted root CA - but not setting any of the intermediates as trusted root CAs and I did not import the DuckDNS certificate itself. I then created a new Certificate Profile and added each of the certificates to the profile in order, set the Certificate Profile that I created in the dynamic DNS profile and saved it.
Low and behold a test "dns-proxy ddns update interface name vlan" in the CLI finally worked, when I checked the logs under Monitor -> Logs -> System -> ( subtype eq ddns )
For reference, the Advanced -> DDNS -> Hostname entry was set as the DDNS hostname *without* the .duckdns.org appended. API Host at www.duckdns.org, Base URI at /update, Secret Token pasted in with no spaces or other characters (generally the default DuckDNS v1 settings with my own private key.
Hopefully that saves someone some of the same headaches - seems strange that these aren't trusted by default with OEM provided Certificate Profiles for each service in the OEM provided DDNS profiles.