OK, you could be causing yourself headaches trying to get everything working with self-signed certificates. If you will have people connecting from Outside (I assume Internet), you probably also need the RDS Gateway and not just Broker and RDWeb.
If you have already decided on the public name, maybe it is time to order a “Real” publicly signed certificate from a provider already trusted by ThinOS.
It will cost some money, but you may save a lot of time.
Be aware that you will probably not be able to order a Publicly signed certificate with .local domain names as SAN DNS entries, so Internal clients will need to be able to resolve the Public DNS name and get the Internal IP (Split DNS).
This guide helped me a lot when starting with this: https://www.rdsgurus.com/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment/
It is for RDS 2012R2, but most things probably still apply to 2019.
/Frank